From patchwork Mon Jul 11 12:38:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Nuno Sa X-Patchwork-Id: 12913925 Received: from mx0a-00128a01.pphosted.com (mx0a-00128a01.pphosted.com [148.163.135.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C6BA64411 for ; Mon, 11 Jul 2022 15:30:53 +0000 (UTC) Received: from pps.filterd (m0167088.ppops.net [127.0.0.1]) by mx0a-00128a01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26BCGvj9011956; Mon, 11 Jul 2022 08:38:22 -0400 Received: from nwd2mta4.analog.com ([137.71.173.58]) by mx0a-00128a01.pphosted.com (PPS) with ESMTPS id 3h73h6caet-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 11 Jul 2022 08:38:22 -0400 Received: from ASHBMBX9.ad.analog.com (ASHBMBX9.ad.analog.com [10.64.17.10]) by nwd2mta4.analog.com (8.14.7/8.14.7) with ESMTP id 26BCcL5M000402 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 11 Jul 2022 08:38:21 -0400 Received: from ASHBCASHYB5.ad.analog.com (10.64.17.133) by ASHBMBX9.ad.analog.com (10.64.17.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Mon, 11 Jul 2022 08:38:20 -0400 Received: from ASHBMBX8.ad.analog.com (10.64.17.5) by ASHBCASHYB5.ad.analog.com (10.64.17.133) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Mon, 11 Jul 2022 08:38:20 -0400 Received: from zeus.spd.analog.com (10.66.68.11) by ashbmbx8.ad.analog.com (10.64.17.5) with Microsoft SMTP Server id 15.2.986.14 via Frontend Transport; Mon, 11 Jul 2022 08:38:20 -0400 Received: from nsa.ad.analog.com ([10.44.3.53]) by zeus.spd.analog.com (8.15.1/8.15.1) with ESMTP id 26BCbVE6011687; Mon, 11 Jul 2022 08:38:10 -0400 From: =?utf-8?q?Nuno_S=C3=A1?= To: , , , , , , Lad Prabhakar , , , , CC: Andy Gross , Nicolas Ferre , Benson Leung , "Matthias Brugger" , Tomer Maimon , "Zhang Rui" , "Rafael J. Wysocki" , "Eugen Hristev" , Sascha Hauer , Alexandre Belloni , Benjamin Fair , Nancy Yuen , Fabrice Gasnier , Jishnu Prakash , Christophe Branchereau , Avi Fishman , Tali Perry , "Michael Hennerich" , Miquel Raynal , Claudiu Beznea , Lars-Peter Clausen , Thara Gopinath , Cai Huoqing , "Fabio Estevam" , Olivier Moysan , Shawn Guo , Haibo Chen , "Arnd Bergmann" , Daniel Lezcano , "Patrick Venture" , Amit Kucheria , "Maxime Coquelin" , Lorenzo Bianconi , Paul Cercueil , Andy Shevchenko , Alexandre Torgue , Gwendal Grignou , Bjorn Andersson , Saravanan Sekar , "Guenter Roeck" , Jonathan Cameron , "Pengutronix Kernel Team" , Linus Walleij Subject: [PATCH v2 01/15] iio: inkern: only release the device node when done with it Date: Mon, 11 Jul 2022 14:38:21 +0200 Message-ID: <20220711123835.811358-2-nuno.sa@analog.com> X-Mailer: git-send-email 2.37.0 In-Reply-To: <20220711123835.811358-1-nuno.sa@analog.com> References: <20220711123835.811358-1-nuno.sa@analog.com> Precedence: bulk X-Mailing-List: chrome-platform@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ADIRuleOP-NewSCL: Rule Triggered X-Proofpoint-GUID: ci3qmm03iYTNTvcGF918_TuIr9qgcoR0 X-Proofpoint-ORIG-GUID: ci3qmm03iYTNTvcGF918_TuIr9qgcoR0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-11_18,2022-07-08_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 bulkscore=0 mlxlogscore=989 lowpriorityscore=0 phishscore=0 mlxscore=0 suspectscore=0 impostorscore=0 adultscore=0 priorityscore=1501 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207110054 'of_node_put()' can potentially release the memory pointed to by 'iiospec.np' which would leave us with an invalid pointer (and we would still pass it in 'of_xlate()'). Note that it is not guaranteed for the of_node lifespan to be attached to the device (to which is attached) lifespan so that there is (even though very unlikely) the possibility for the node to freed while the device is still around. Thus, as there are indeed some of_xlate users which do access the node, a possible race is indeed possible. As such, we can only release the node after we are done with it. Fixes: 17d82b47a215d ("iio: Add OF support") Signed-off-by: Nuno Sá --- drivers/iio/inkern.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c index df74765d33dc..9d87057794fc 100644 --- a/drivers/iio/inkern.c +++ b/drivers/iio/inkern.c @@ -165,9 +165,10 @@ static int __of_iio_channel_get(struct iio_channel *channel, idev = bus_find_device(&iio_bus_type, NULL, iiospec.np, iio_dev_node_match); - of_node_put(iiospec.np); - if (idev == NULL) + if (idev == NULL) { + of_node_put(iiospec.np); return -EPROBE_DEFER; + } indio_dev = dev_to_iio_dev(idev); channel->indio_dev = indio_dev; @@ -175,6 +176,7 @@ static int __of_iio_channel_get(struct iio_channel *channel, index = indio_dev->info->of_xlate(indio_dev, &iiospec); else index = __of_iio_simple_xlate(indio_dev, &iiospec); + of_node_put(iiospec.np); if (index < 0) goto err_put; channel->channel = &indio_dev->channels[index];