patch "iio: core: fix double free in iio_device_unregister_sysfs()" added to char-misc-next

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 24 Oct 2021 13:15:10 +0200

This is a note to let you know that I've just added the patch titled

    iio: core: fix double free in iio_device_unregister_sysfs()

to my char-misc git tree which can be found at
    git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
in the char-misc-next branch.

The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)

The patch will also be merged in the next major kernel release
during the merge window.

If you have any questions about this process, please let me know.


>From 19833c40d0415d6fe4340b5b9c46239abbf718f6 Mon Sep 17 00:00:00 2001
From: Yang Yingliang <yangyingliang@xxxxxxxxxx>
Date: Wed, 13 Oct 2021 11:05:32 +0800
Subject: iio: core: fix double free in iio_device_unregister_sysfs()

I got the double free report:

BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
 iio_device_unregister_sysfs+0x108/0x13b [industrialio]
 iio_dev_release+0x9e/0x10e [industrialio]
 device_release+0xa5/0x240

If __iio_device_register() fails, iio_dev_opaque->groups will be freed
in error path in iio_device_unregister_sysfs(), then iio_dev_release()
will call iio_device_unregister_sysfs() again, it causes double free.
Set iio_dev_opaque->groups to NULL when it's freed to fix this double free.

Not this is a local work around for a more general mess around life time
management that will get cleaned up and should make this handling
unnecesarry.

Fixes: 32f171724e5c ("iio: core: rework iio device group creation")
Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
Reviewed-by: Alexandru Ardelean <ardeleanalex@xxxxxxxxx>
Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20211013030532.956133-1-yangyingliang@xxxxxxxxxx
Cc: <Stable@xxxxxxxxxxxxxxx>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
---
 drivers/iio/industrialio-core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index 48fda6a79076..3e1e86d987cc 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -1600,6 +1600,7 @@ static void iio_device_unregister_sysfs(struct iio_dev *indio_dev)
 	kfree(iio_dev_opaque->chan_attr_group.attrs);
 	iio_dev_opaque->chan_attr_group.attrs = NULL;
 	kfree(iio_dev_opaque->groups);
+	iio_dev_opaque->groups = NULL;
 }
 
 static void iio_dev_release(struct device *device)
-- 
2.33.1








