On Thu, Nov 06, 2025 at 04:29:23PM +0800, Ma Ke wrote:
viio_trigger_alloc() initializes the device with device_initialize() but uses kfree() directly in error paths, which bypasses the device's release callback iio_trig_release(). This could lead to memory leaks and inconsistent device state.
Additionally, the current error handling has the following issues:
- Potential double-free of IRQ descriptors when kvasprintf fails.
kvasprintf()
- The release function may attempt to free negative subirq_base.
- Missing mutex_destroy in release function.
mutex_destroy()
Fix these issues by:
- Replacing kfree(trig) with put_device(&trig->dev) in error paths.
- Setting subirq_base to 0 after freeing IRQ descriptors in error
path to prevent double-free in release callback. 3. Modifying release function to properly handle negative subirq_base. 4. Adding missing mutex_destroy().
Found by code review.
This is better now, but giving a nature of the issue and the fix I would really appreciate some CIs and syzkaller (or alike) fuzzers to go with this first.
...
free_descs: irq_free_descs(trig->subirq_base, CONFIG_IIO_CONSUMERS_PER_TRIGGER);
- trig->subirq_base = 0;
Why not getting rid of this label and accompanied code altogether?