Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3314198pxv; Mon, 12 Jul 2021 14:32:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz9TyhLWynVk1dpKteV3rnikOEExKeKGU4h5ReQf8uJwNa2dkyjtNj/b0UFM0Nndp7NSYi2 X-Received: by 2002:a05:6638:35a8:: with SMTP id v40mr926875jal.126.1626125578062; Mon, 12 Jul 2021 14:32:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626125578; cv=none; d=google.com; s=arc-20160816; b=ZfNwbtVPDVOX5FIxJLAGNFhHw3wHGu1omGKVELepAx+zC5E+x3OFtP99FKJfcR9feu p/zZJRdsAPI5UwNcruf6KWaQDVVLUyDulXcuyN8z4shGo25PwrnDt7Z4IiaZhlmYznf0 8zSRLCSpcFmUR3K/voh2G4hFSJnWNGmDso18EgHqtz6soN6i0roP+FfQWwshnnR3DHu6 1WAqNTJikJSxSLT0ryKJAvEbjPvnOeRgnEvybkiOTHb0/rMvAqSJxP51qmA3YfLymvyl sLSYooDEH1lm3qYpy/dhtAQEXWoUGEXvW8QJ4Yp1ZFLmtMBCyO09GiJZD3dx2sjb6xki 2xnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=0G/GyG/568sSN57kJberZxTcTadsT0pLAQXJhMAdvmI=; b=wBjcTfpsI2idLHEr3LMGzwFxir+nil2UqxiAciaNfCgqM1N5S9ovIlEgXrWTby75TZ WSyyrIO89/WleuqEMn/NInqGo+tcixpF6HIQdpc+78CysK976ccmzdtse0Dbj9EgXR2W +TwPHRrwZoIEZmIJl0lAI3C5zAtxK8IDjjEIlcgqix4DldKFMVMqeDtieR8W63qIbqux S4OaZnFOUlglLWnGaFyPoaNqDXD1EAAMJXUDtTJgqE0+R6z4ch2cZDmjttDBsF0yDwou WOZQb4HZH7bQDRMq0tIN2cTGsxdq01irgWdmHyejk5YrWPwNOkzPKOXYCebwTdyMg4JZ IAGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k9si19418620jav.118.2021.07.12.14.32.45; Mon, 12 Jul 2021 14:32:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233376AbhGLVew (ORCPT + 99 others); Mon, 12 Jul 2021 17:34:52 -0400 Received: from foss.arm.com ([217.140.110.172]:33138 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231878AbhGLVew (ORCPT ); Mon, 12 Jul 2021 17:34:52 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 31BD26D; Mon, 12 Jul 2021 14:32:03 -0700 (PDT) Received: from [192.168.1.179] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BFFCA3F694; Mon, 12 Jul 2021 14:32:01 -0700 (PDT) Subject: Re: [PATCH] drm/of: free the iterator object on failure To: Laurent Pinchart Cc: Daniel Vetter , David Airlie , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Biju Das References: <20210712155758.48286-1-steven.price@arm.com> From: Steven Price Message-ID: Date: Mon, 12 Jul 2021 22:31:52 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/07/2021 17:50, Laurent Pinchart wrote: > Hi Steven, > > Thank you for the patch. > > On Mon, Jul 12, 2021 at 04:57:58PM +0100, Steven Price wrote: >> When bailing out due to the sanity check the iterator value needs to be >> freed because the early return prevents for_each_child_of_node() from >> doing the dereference itself. >> >> Fixes: 4ee48cc5586b ("drm: of: Fix double-free bug") > > I don't think the Fixes tag is correct, the issue was already present > before 4ee48cc5586b. The fix looks right though. I'm not sure quite what you mean by "already present". As I understand it the timeline was: 1. 6529007522de drm: of: Add drm_of_lvds_get_dual_link_pixel_order The function was originally added. This made the mistake twice of calling of_node_put() on the wrong variable (remote_port rather than endpoint). 2. 4ee48cc5586b drm: of: Fix double-free bug One of the of_node_put() calls was removed as it was a double-free. This left the first incorrect of_node_put() in place, and the second is now a straight leak. 3. b557a5f8da57 drm/of: free the right object This (correctly) fixes the first of_node_put() to free endpoint. And the post from Daniel was what caused me to look. 4. This patch Reintroduces the of_node_put() removed in (2) but putting endpoint rather than remote_port. I've put (2) in the Fixes line as this patch is fixing the leak introduced by that patch, but that in itself was of course 'fixing' the double free of the original patch. Steve >> Signed-off-by: Steven Price >> --- >> drivers/gpu/drm/drm_of.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> Daniel's email[1] made me take a look at this function and it appears >> that for_each_child_of_node()'s interface had caused a bad bug fix due >> to the hidden reference counting in the iterator. >> >> [1] https://lore.kernel.org/r/YOxQ5TbkNrqCGBDJ%40phenom.ffwll.local >> >> diff --git a/drivers/gpu/drm/drm_of.c b/drivers/gpu/drm/drm_of.c >> index 197c57477344..997b8827fed2 100644 >> --- a/drivers/gpu/drm/drm_of.c >> +++ b/drivers/gpu/drm/drm_of.c >> @@ -331,8 +331,10 @@ static int drm_of_lvds_get_remote_pixels_type( >> * configurations by passing the endpoints explicitly to >> * drm_of_lvds_get_dual_link_pixel_order(). >> */ >> - if (!current_pt || pixels_type != current_pt) >> + if (!current_pt || pixels_type != current_pt) { >> + of_node_put(endpoint); >> return -EINVAL; >> + } >> } >> >> return pixels_type; >