From patchwork Fri Jul 15 12:28:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Nuno Sa X-Patchwork-Id: 12919161 Received: from mx0a-00128a01.pphosted.com (mx0a-00128a01.pphosted.com [148.163.135.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DBB732F34 for ; Fri, 15 Jul 2022 12:29:25 +0000 (UTC) Received: from pps.filterd (m0167089.ppops.net [127.0.0.1]) by mx0a-00128a01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26FA9g56026919; Fri, 15 Jul 2022 08:28:49 -0400 Received: from nwd2mta3.analog.com ([137.71.173.56]) by mx0a-00128a01.pphosted.com (PPS) with ESMTPS id 3h9r37te2r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 15 Jul 2022 08:28:49 -0400 Received: from ASHBMBX9.ad.analog.com (ASHBMBX9.ad.analog.com [10.64.17.10]) by nwd2mta3.analog.com (8.14.7/8.14.7) with ESMTP id 26FCSmSJ061293 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 15 Jul 2022 08:28:48 -0400 Received: from ASHBMBX9.ad.analog.com (10.64.17.10) by ASHBMBX9.ad.analog.com (10.64.17.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Fri, 15 Jul 2022 08:28:47 -0400 Received: from zeus.spd.analog.com (10.66.68.11) by ashbmbx9.ad.analog.com (10.64.17.10) with Microsoft SMTP Server id 15.2.986.14 via Frontend Transport; Fri, 15 Jul 2022 08:28:47 -0400 Received: from nsa.ad.analog.com ([10.44.3.55]) by zeus.spd.analog.com (8.15.1/8.15.1) with ESMTP id 26FCRxNv001007; Fri, 15 Jul 2022 08:28:37 -0400 From: =?utf-8?q?Nuno_S=C3=A1?= To: , , , , , , , , , Lad Prabhakar , CC: Gwendal Grignou , Jonathan Cameron , Saravanan Sekar , Tomer Maimon , Maxime Coquelin , Alexandre Torgue , Lorenzo Bianconi , Fabio Estevam , Shawn Guo , Olivier Moysan , Tali Perry , Thara Gopinath , Bjorn Andersson , Arnd Bergmann , Benjamin Fair , Nicolas Ferre , "Rafael J. Wysocki" , Patrick Venture , Pengutronix Kernel Team , Fabrice Gasnier , Daniel Lezcano , Benson Leung , Nancy Yuen , Miquel Raynal , Alexandre Belloni , Zhang Rui , Linus Walleij , Christophe Branchereau , Cai Huoqing , Avi Fishman , Eugen Hristev , Matthias Brugger , Sascha Hauer , Lars-Peter Clausen , Andy Shevchenko , Guenter Roeck , Paul Cercueil , Claudiu Beznea , Andy Gross , Amit Kucheria , Michael Hennerich , Haibo Chen , Jishnu Prakash Subject: [PATCH v3 01/15] iio: inkern: only release the device node when done with it Date: Fri, 15 Jul 2022 14:28:49 +0200 Message-ID: <20220715122903.332535-2-nuno.sa@analog.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220715122903.332535-1-nuno.sa@analog.com> References: <20220715122903.332535-1-nuno.sa@analog.com> Precedence: bulk X-Mailing-List: chrome-platform@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ADIRuleOP-NewSCL: Rule Triggered X-Proofpoint-GUID: OTQyimJKPNYz-qHOt6Uv29WNEi0X52Ee X-Proofpoint-ORIG-GUID: OTQyimJKPNYz-qHOt6Uv29WNEi0X52Ee X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-15_04,2022-07-15_01,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 clxscore=1015 priorityscore=1501 phishscore=0 spamscore=0 mlxlogscore=945 mlxscore=0 adultscore=0 suspectscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207150054 'of_node_put()' can potentially release the memory pointed to by 'iiospec.np' which would leave us with an invalid pointer (and we would still pass it in 'of_xlate()'). Note that it is not guaranteed for the of_node lifespan to be attached to the device (to which is attached) lifespan so that there is (even though very unlikely) the possibility for the node to be freed while the device is still around. Thus, as there are indeed some of_xlate users which do access the node, a race is indeed possible. As such, we can only release the node after we are done with it. Fixes: 17d82b47a215d ("iio: Add OF support") Signed-off-by: Nuno Sá --- drivers/iio/inkern.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c index df74765d33dc..9d87057794fc 100644 --- a/drivers/iio/inkern.c +++ b/drivers/iio/inkern.c @@ -165,9 +165,10 @@ static int __of_iio_channel_get(struct iio_channel *channel, idev = bus_find_device(&iio_bus_type, NULL, iiospec.np, iio_dev_node_match); - of_node_put(iiospec.np); - if (idev == NULL) + if (idev == NULL) { + of_node_put(iiospec.np); return -EPROBE_DEFER; + } indio_dev = dev_to_iio_dev(idev); channel->indio_dev = indio_dev; @@ -175,6 +176,7 @@ static int __of_iio_channel_get(struct iio_channel *channel, index = indio_dev->info->of_xlate(indio_dev, &iiospec); else index = __of_iio_simple_xlate(indio_dev, &iiospec); + of_node_put(iiospec.np); if (index < 0) goto err_put; channel->channel = &indio_dev->channels[index];