| Message ID | 20241212021110.3428320-1-joe@pf.is.s.u-tokyo.ac.jp |
|---|---|
| State | New |
| Headers | show |
| Series | phy: core: fix an OF node reference leak in _of_phy_get() | expand |
On 2024/12/12 10:11, Joe Hattori wrote: > _of_phy_get() does not decrement the refcount of the obtained OF node in > the error path. Add a of_node_put() call before returning. > > This bug was found by an experimental static analysis tool that I am > developing. > Good tool. this fix is same as my v1 fix below: https://lore.kernel.org/all/20241020-phy_core_fix-v1-4-078062f7da71@quicinc.com/ My latest v5 patch series is here, and it has another OF leakage fix. https://lore.kernel.org/all/20241106-phy_core_fix-v5-0-9771652eb88c@quicinc.com/ (^^). > Fixes: b7563e2796f8 ("phy: work around 'phys' references to usb-nop-xceiv devices") > Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp> > --- > drivers/phy/phy-core.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c > index f053b525ccff..bca303d51fd2 100644 > --- a/drivers/phy/phy-core.c > +++ b/drivers/phy/phy-core.c > @@ -629,8 +629,10 @@ static struct phy *_of_phy_get(struct device_node *np, int index) > return ERR_PTR(-ENODEV); > > /* This phy type handled by the usb-phy subsystem for now */ > - if (of_device_is_compatible(args.np, "usb-nop-xceiv")) > + if (of_device_is_compatible(args.np, "usb-nop-xceiv")) { > + of_node_put(args.np); > return ERR_PTR(-ENODEV); > + } > > mutex_lock(&phy_provider_mutex); > phy_provider = of_phy_provider_lookup(args.np);
diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c index f053b525ccff..bca303d51fd2 100644 --- a/drivers/phy/phy-core.c +++ b/drivers/phy/phy-core.c @@ -629,8 +629,10 @@ static struct phy *_of_phy_get(struct device_node *np, int index) return ERR_PTR(-ENODEV); /* This phy type handled by the usb-phy subsystem for now */ - if (of_device_is_compatible(args.np, "usb-nop-xceiv")) + if (of_device_is_compatible(args.np, "usb-nop-xceiv")) { + of_node_put(args.np); return ERR_PTR(-ENODEV); + } mutex_lock(&phy_provider_mutex); phy_provider = of_phy_provider_lookup(args.np);
_of_phy_get() does not decrement the refcount of the obtained OF node in the error path. Add a of_node_put() call before returning. This bug was found by an experimental static analysis tool that I am developing. Fixes: b7563e2796f8 ("phy: work around 'phys' references to usb-nop-xceiv devices") Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp> --- drivers/phy/phy-core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)