Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2239272pxb;
        Tue, 12 Oct 2021 02:20:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw4w/vSMf0OBmRHaJFFG4YHfgCN2ThsDsMDY81mO8fFp54zuur60J0AeFZYJsN7nQdyxJGR
X-Received: by 2002:a17:906:2606:: with SMTP id h6mr3258751ejc.301.1634030410545;
        Tue, 12 Oct 2021 02:20:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1634030410; cv=none;
        d=google.com; s=arc-20160816;
        b=MoYV5WlfYUhpluw97X6zidfyC0A2kMQ6md+JQolyc4G3tlTTFRMLQGF79+J0/iGr1/
         WJ4YvrCEfFJIoYrbhXsSXBAarSLWJAHZxhz92LwWXHUwnVgwPzTEfivq7JQKTDmtwZZx
         FpLwtaUWMIfPMV98q+X3crCH+XR5RDqZtpempt4TswncIEG9OQVPUgJMMcfEn//bgHaC
         z4xv52xnshIOrAn6/OT3j4Fnu7/LZRUhONC1J2LjfGKT0RIutJbvhFLNU1YYcIS22SaB
         xqAlFn+4HkuT38qkkGyX3ev75hV2fXPGt21k6US69NIBfxGnyKuukLQw6PFHkosHov1g
         m+Yg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=STTk9/Q7o8tePikcfOt5S4e0nS6/5wtArXue+qTzwVs=;
        b=afmEYlDd6sgf+vtOfaIFEQH516SZ6rowPJdoA4eHpAwOr0IrsyAMZKzx7ztVBGWQrA
         uM385z2zGLSGVBb5vtPppNIv/KH1+5LDj0FOc/c7KXPipuUJUcddxCkp93HNTOwuEnRc
         h6Qcq6eySHybeSqE9kEMweyn+Zkr+Bt3E0DyIIC9w13xQBECkBEVmXZExF0j+Vkne4Hy
         1YoGlP75RndoMJPUwgdvAqxnGOpLuxZCxKhq+znR+3VbKrOfpQEE9q2WBNoCk3jtBJfR
         KXFM1kMTmB2n/FvKY8uZ8xkVPljeFJHNRnV6Lu5/A2Vk7HDLqf4o+uzRI65ck8sA+HG1
         jldQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i20si14174171edb.53.2021.10.12.02.19.46;
        Tue, 12 Oct 2021 02:20:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235433AbhJLJTv (ORCPT <rfc822;lpalcu@gmail.com> + 99 others);
        Tue, 12 Oct 2021 05:19:51 -0400
Received: from szxga02-in.huawei.com ([45.249.212.188]:14334 "EHLO
        szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232502AbhJLJTu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Oct 2021 05:19:50 -0400
Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.53])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HT91Q0RNmz908x;
        Tue, 12 Oct 2021 17:12:58 +0800 (CST)
Received: from dggpeml500017.china.huawei.com (7.185.36.243) by
 dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.8; Tue, 12 Oct 2021 17:17:46 +0800
Received: from huawei.com (10.175.103.91) by dggpeml500017.china.huawei.com
 (7.185.36.243) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Tue, 12 Oct
 2021 17:17:46 +0800
From:   Yang Yingliang <yangyingliang@huawei.com>
To:     <linux-kernel@vger.kernel.org>, <linux-iio@vger.kernel.org>
CC:     <lars@metafoo.de>, <jic23@kernel.org>, <andy.shevchenko@gmail.com>
Subject: [PATCH] iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask()
Date:   Tue, 12 Oct 2021 17:25:13 +0800
Message-ID: <20211012092513.1349295-1-yangyingliang@huawei.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [10.175.103.91]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To
 dggpeml500017.china.huawei.com (7.185.36.243)
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When __iio_buffer_alloc_sysfs_and_mask() failed, 'unwind_idx' should be
set to 'i - 1' to prevent double-free when cleanup resources.

BUG: KASAN: double-free or invalid-free in __iio_buffer_free_sysfs_and_mask+0x32/0xb0 [industrialio]
Call Trace:
 kfree+0x117/0x4c0
 __iio_buffer_free_sysfs_and_mask+0x32/0xb0 [industrialio]
 iio_buffers_alloc_sysfs_and_mask+0x60d/0x1570 [industrialio]
 __iio_device_register+0x483/0x1a30 [industrialio]
 ina2xx_probe+0x625/0x980 [ina2xx_adc]

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: ee708e6baacd ("iio: buffer: introduce support for attaching more IIO buffers")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/iio/industrialio-buffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c
index a95cc2da56be..5f4bd0b73d03 100644
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1616,7 +1616,7 @@ int iio_buffers_alloc_sysfs_and_mask(struct iio_dev *indio_dev)
 		buffer = iio_dev_opaque->attached_buffers[i];
 		ret = __iio_buffer_alloc_sysfs_and_mask(buffer, indio_dev, i);
 		if (ret) {
-			unwind_idx = i;
+			unwind_idx = i - 1;
 			goto error_unwind_sysfs_and_mask;
 		}
 	}
-- 
2.25.1