Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2426218pxb; Sun, 28 Feb 2021 00:31:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJxyQCoK8XWxtjfFuKVP0hSRdNM4yoXSXGzeayx14WmWSx8c/1AuT6pMoS1Ix1n/2OEonnEb X-Received: by 2002:a05:6402:438e:: with SMTP id o14mr11067565edc.215.1614501062598; Sun, 28 Feb 2021 00:31:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614501062; cv=none; d=google.com; s=arc-20160816; b=asSHAT25nxWEwO4HOk+Dp2psaDP6R4n97OWURSYYogVU+EDYkpAQKDYtj0//X3LQyC YLVKp2FK3CgFGMQzEtD0Ih6Iug3QF9OGDr3fOTKSwBydKXNpVQoy7U8awh11vSonyJoW /R1NpdJeGiDx7h/HRw8Crbh+MN2WdTNJYTxMzyAW6g5LXlhrv44vfyQsWAzDS5I9Gs9i IDweEu0ACDE0FVIa216Ta5olMKxAVFXUQvlmxu8SgpZYi4ZMZxskvH5pRG4R9zFk4AWO WqwJqPoeFU2320ytVA7ihEEW7l36h4XPzZCx0DoOIp7nvr0PQxywk3dN1o/NVcHUWF0Z Seqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=Rnp46uHNyUiQW6a1gr96QWgGKIhkJAiSdkAgs0KFxVM=; b=YfB6LY73msHJ56vA2LRD7EjtZ9rH0U8nZpvh0FTwRmcb8EzvW/SsuMOQZnxLdDlxaf G35gTAn03ySWApVN4e4WKfIfBJORkD7cen/45baQU/+xEjlOAzIlGoLiGdKQjgs9sxzL Z9mgzMRrmx/YPn3aWHK40YQxO4Wl5NJEo/LYB/jU07U9WLu4MyVsS7qj3VEmZK8CIGFA WXeKomKkgBZWfr06xIlzjo4TebR2qwWWXNGc72HvptB3EniPEkWXhSn9bW4rCq0jfBK+ KIPo3S32ANPWK2/Lx9uTfbuo7lIXW57DC2xrET6Xrj/sGSLYWqDNfeAvgDD/Ir0WKgS2 pYug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@metafoo.de header.s=default2002 header.b="Yz3sbd/Q"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=metafoo.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bl4si8929345ejb.691.2021.02.28.00.30.32; Sun, 28 Feb 2021 00:31:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@metafoo.de header.s=default2002 header.b="Yz3sbd/Q"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=metafoo.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230213AbhB1I3p (ORCPT + 99 others); Sun, 28 Feb 2021 03:29:45 -0500 Received: from www381.your-server.de ([78.46.137.84]:47696 "EHLO www381.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230075AbhB1I3o (ORCPT ); Sun, 28 Feb 2021 03:29:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=metafoo.de; s=default2002; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID; bh=Rnp46uHNyUiQW6a1gr96QWgGKIhkJAiSdkAgs0KFxVM=; b=Yz3sbd/QdPS03ozZx84rCHHZ50 RmTV9+tM3+iuyL7Thop9Vi+2W5+qhRV49pF4Iv5/0m0I04uR5gc0szyoyAFJrkOtJyUgQ5hR9gT1k 6GFcy66hH1ZBa11J37zejAuLKxTwjouktOhFU2tvDkIchGvNM0VsKN31osByqIfFD1vho3owMCwoT Q5oSq/eyBglVUo3nneVagwK4jnsxAEd85BwbK8YzgbCWq8GQPV1YCg2dMln8n23gNU060DqOdSm5i 9LdUeWaoH6p7kXg9FfuVApkQ0ED+yW01eePUy6EkFQ1E9TVE3Ku3jIME++kX8DrU3bxIWvt3STR8w oY5gCthQ==; Received: from sslproxy03.your-server.de ([88.198.220.132]) by www381.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1lGHRl-0006TN-Dz; Sun, 28 Feb 2021 09:29:01 +0100 Received: from [62.216.202.180] (helo=[192.168.178.20]) by sslproxy03.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lGHRl-0001wV-8t; Sun, 28 Feb 2021 09:29:01 +0100 Subject: Re: [PATCH v6 19/24] iio: buffer: introduce support for attaching more IIO buffers To: Alexandru Ardelean , linux-kernel@vger.kernel.org, linux-iio@vger.kernel.org Cc: Michael.Hennerich@analog.com, jic23@kernel.org, nuno.sa@analog.com, dragos.bogdan@analog.com References: <20210215104043.91251-1-alexandru.ardelean@analog.com> <20210215104043.91251-20-alexandru.ardelean@analog.com> From: Lars-Peter Clausen Message-ID: Date: Sun, 28 Feb 2021 09:29:01 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: <20210215104043.91251-20-alexandru.ardelean@analog.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Authenticated-Sender: lars@metafoo.de X-Virus-Scanned: Clear (ClamAV 0.102.4/26093/Sat Feb 27 13:05:31 2021) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/15/21 11:40 AM, Alexandru Ardelean wrote: > static ssize_t iio_show_scan_index(struct device *dev, > struct device_attribute *attr, > char *buf) > @@ -1451,11 +1465,13 @@ static void __iio_buffer_free_sysfs_and_mask(struct iio_buffer *buffer) > iio_free_chan_devattr_list(&buffer->buffer_attr_list); > } > > -int iio_buffer_alloc_sysfs_and_mask(struct iio_dev *indio_dev) > +int iio_buffers_alloc_sysfs_and_mask(struct iio_dev *indio_dev) > { > [...] > +error_unwind_sysfs_and_mask: > + for (; unwind_idx >= 0; unwind_idx--) { > + buffer = iio_dev_opaque->attached_buffers[unwind_idx]; > + __iio_buffer_free_sysfs_and_mask(buffer); > + } > + kfree(iio_dev_opaque->attached_buffers); > + return ret; > } > > -void iio_buffer_free_sysfs_and_mask(struct iio_dev *indio_dev) > +void iio_buffers_free_sysfs_and_mask(struct iio_dev *indio_dev) > { > [...] > + for (i = iio_dev_opaque->attached_buffers_cnt - 1; i >= 0; i--) { > + buffer = iio_dev_opaque->attached_buffers[i]; > + __iio_buffer_free_sysfs_and_mask(buffer); > + } > + > + kfree(iio_dev_opaque->attached_buffers); > } > [...] > diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c > index 1d500ea246af..f7f785431106 100644 > --- a/drivers/iio/industrialio-core.c > +++ b/drivers/iio/industrialio-core.c > @@ -1583,7 +1583,7 @@ static void iio_dev_release(struct device *device) > iio_device_unregister_eventset(indio_dev); > iio_device_unregister_sysfs(indio_dev); > > - iio_buffer_put(indio_dev->buffer); > + iio_buffers_put(indio_dev); We do call kfree(iio_dev_opaque->attached_buffers) before we get here. I think we need to keep the array around, otherwise we end of up with a use after free.