Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1134401pxb; Sun, 7 Mar 2021 07:20:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJwp6tEDcV6OevxQB8VqumgQ3y89zeU0CpU9JSDAQPJE2JchVBog8wxHcI4LKsHEDuSTBSyU X-Received: by 2002:a05:6402:158d:: with SMTP id c13mr17877847edv.297.1615130410620; Sun, 07 Mar 2021 07:20:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615130410; cv=none; d=google.com; s=arc-20160816; b=Y85ldGUxq7RiWIYoufksnTSAOAOqVYoQ2uhI74KEH9AKxMS8p6ddJrxiOincQO6wjh sdVzm3vhF+EdQFz441/WL8Pk/GTvN78a0SqS7gMC3itQDy0iHb7DrQslv3keAOCLE4yo 0jzDZF0JVynNiOQwhZZwBezFuNgJgcQm4dxKwTrzGTrjdeTxkX7x0ttubNIBvewNjNWi AV0a6z0jMqeuvBTdCjJadvUPte/lQdjqhWC/VJpp3wLNK0rQMzUAgeHX8bQkndLw5flR EB8oPvw+3NxbekVtHLkYqV10k7r4KDn6PmamzZgixFTlP8wuVwVKLNhL98eCVelQvF9j 36/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=t2IT8969XHmUqRaazwfib8rQbdSxedTrGWGhUS4AiOM=; b=gQfqxTQG17quZ4ATHu+hGapvZnOjmcUNrbIewNfUfK8SsvE4wkNyzaarc83auVOqF1 fsPYJyEyPCNVXPkqaHzjXDe4rrfEq7VKWjcAWcSliot3qO2UM2ivG1uZaplLmQz0Wg7F xFAxtpCQuh+v6XmxEEZOuFUqkVB+w8Um3+lP6K8rk8GtHHjZ7cDEArtiZK5+AY4x4NCz WneU256hQukk89jQcyjCJHMivOsZguD+xxQ4pHg6wjSoDJCB07YTH+RIxOyjj2Ti/gu3 nEHLgkOpmDLjU8+yry/jxM9EkbLUZcDiIdLBEAF9MbOQIh2AgWiGZYcVKPi3g6vC6QHm 1q/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@metafoo.de header.s=default2002 header.b=a21Nsi0G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=metafoo.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y13si5366362edm.557.2021.03.07.07.19.34; Sun, 07 Mar 2021 07:20:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@metafoo.de header.s=default2002 header.b=a21Nsi0G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=metafoo.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230260AbhCGMyv (ORCPT + 99 others); Sun, 7 Mar 2021 07:54:51 -0500 Received: from www381.your-server.de ([78.46.137.84]:48318 "EHLO www381.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229904AbhCGMyb (ORCPT ); Sun, 7 Mar 2021 07:54:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=metafoo.de; s=default2002; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID; bh=t2IT8969XHmUqRaazwfib8rQbdSxedTrGWGhUS4AiOM=; b=a21Nsi0GLih6NIIjw6S5nFusJk DKpNPpHK+IcKtrA8eWUDY1+72BMahDvZyyqvoCY+Lxu0yLiG6F8qHmspp7OCT5rDHykn0ZdsYuHvf Z/TgNNrMHTlHq6H2LxFQjQGh9VBTh8DNhifCmlm7Blvg9yjsRSOnxHmgFQ30SJkn/YEVtpg+CQmyS KXV7RAyEGFI1jMkCxyaTADBxmqNnLFF/uUg27rq0P8gkNpWqgEZNPWBj3pnDvB4vZQ0xaZwB1k79n seueybamjPllrZbr6/nzpXDq4iGQVEJh7NbWPpuwRjC4JMOQ0MBv6IZUDK8g25VGzuOkLoI//V+Zo ZZjv963g==; Received: from sslproxy01.your-server.de ([78.46.139.224]) by www381.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1lIsvU-000ANi-Oo; Sun, 07 Mar 2021 13:54:28 +0100 Received: from [62.216.202.180] (helo=[192.168.178.20]) by sslproxy01.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lIsvU-000Puc-K7; Sun, 07 Mar 2021 13:54:28 +0100 Subject: Re: [PATCH] iio: buffer: fix use-after-free for attached_buffers array To: Jonathan Cameron , Alexandru Ardelean Cc: linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org References: <20210306164710.9944-1-ardeleanalex@gmail.com> <20210307123658.3bdc0016@archlinux> From: Lars-Peter Clausen Message-ID: Date: Sun, 7 Mar 2021 13:54:28 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: <20210307123658.3bdc0016@archlinux> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Authenticated-Sender: lars@metafoo.de X-Virus-Scanned: Clear (ClamAV 0.102.4/26101/Sun Mar 7 13:10:08 2021) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/7/21 1:36 PM, Jonathan Cameron wrote: > On Sat, 6 Mar 2021 18:47:10 +0200 > Alexandru Ardelean wrote: > >> Thanks to Lars for finding this. >> The free of the 'attached_buffers' array should be done as late as >> possible. This change moves it to iio_buffers_put(), which looks like >> the best place for it, since it takes place right before the IIO device >> data is free'd. > It feels a bit wrong to do direct freeing of stuff in a _put() call > given that kind of implies nothing will happen without some reference > count dropping to 0. We could think about renaming the function to > something like > > iio_buffers_put_and_free_array() but is a bit long winded. > > Otherwise, I'm fine with this but want to let it sit on list a tiny bit > longer before I take it as it's not totally trivial unlike the previous > one. Maybe to go with naming schema of iio_device_attach_buffer() call this function iio_device_detach_buffers(). We grab the reference in attach, and drop it in detach. - Lars