Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp144186pxb; Wed, 18 Aug 2021 18:22:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyWMNt9KtC2NN6RRxSQW9trRg3tunQUF+LZqA6vUX2e8Wulhy+iFHCEGoiiTQjNijAZiLmG X-Received: by 2002:a17:907:831d:: with SMTP id mq29mr12577389ejc.127.1629336176123; Wed, 18 Aug 2021 18:22:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629336176; cv=none; d=google.com; s=arc-20160816; b=kLUsD6wU9zlXtQDLO/W3qyXk07oBLmOV7rtkeOP5stt5VKWn1iiasTg+nKkTuRezuE MxZZG4ppJSx8IV5dA8TG+K1pZIdQ7xNJto4dFNQ97oj5FoGA62ptEj1FJRTnjaVZDdFl Jel5dbVu9fHCMbmKr6Kbi/a0wPrbb5d2gjnw4nrnHQnbUYWlH/FoNOc7H9bk11/mNYbi 53DJL0L2zq9tvG7ih9eeC9iYWli6FXLnIbAWCdqO+80edulkWP2If6YyWfcRVoe2Tner tkZRXp5qTeAxfxj0kgGO7cQhhvyMpjYShUz0nPCsrO23pf9/mlgEYMXH5dXfvsnPPFHS NuXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=3jR238mL29ayHcq8ehNBx0TNPsNwsYbo0pduyZlEib0=; b=HzGvcVBthmp5G7IeY0xvBNlcooVKgQJvfLpRBUKDgswjZZgUGzy3g2BLu5j6Xknxdz kfsZDOcdm3Gd36EdOgQj1nOhGJB6WbC/drFk7VV98tmZbPBEw9afC9ARvB3G5DdlHDh5 hDMsQ63pxlyo5rqGkuUtpCaxHsI9/tOpPAnl7gJx0r5nxWF+qBCuffhDmrEKiMiA1EWF V7UPL+JYPSsIwRU8UYQvwUET3wAkVx0SRX/KotRR+lIaYyOfYQ3Kqg6TRduIuqTeVhK4 nnkJXf5FyyZLsNps2Ygld2SjrsMSoRs6qnERctk7SaF1K7GcM/ZipR4hYTmQPL73KVGD 6wsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sAjURJV0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id di9si1352238edb.257.2021.08.18.18.22.32; Wed, 18 Aug 2021 18:22:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sAjURJV0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234658AbhHSBVY (ORCPT + 99 others); Wed, 18 Aug 2021 21:21:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234194AbhHSBVX (ORCPT ); Wed, 18 Aug 2021 21:21:23 -0400 Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 858C1C0613CF for ; Wed, 18 Aug 2021 18:20:47 -0700 (PDT) Received: by mail-yb1-xb2e.google.com with SMTP id z18so9054911ybg.8 for ; Wed, 18 Aug 2021 18:20:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3jR238mL29ayHcq8ehNBx0TNPsNwsYbo0pduyZlEib0=; b=sAjURJV0DPl5iuEma3MDh24U2Ka/YPHGRAUt3czsmWjDpYIxJGsgV2yVVUbrr33lP6 RN77l8yeydxU33c80gLe/YCnN1O2KVqnqGyOW+OrDdTmy8Pefr5fQmjdI9q93973hZWX vADWdXpmVvFG/tdnog039ZCR1huc/bOp7frcCs8OapspSjkjWijqCxtzqUWM03Q7BK+U lt64M3eZAf9Sj8dWHjy9sh2+MruZxbo4NpzPNwdKUlKH9343dMXXmUh1Qb5Y3JwBUMwU UgBPerxUHcj6EKp06w0fTRosuDk8pDkJUbdcFiHSZytEcp8PP16KoNcwxrdB9Yixb6Yw DTmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3jR238mL29ayHcq8ehNBx0TNPsNwsYbo0pduyZlEib0=; b=TGftzVTx4UTY5C7uu/XWHgYOu3C7zQ/M8LTwzi+ayNz8OFF4TGcxlEL/L7/Gukul9W yfnbxNpmibmDxRHrrfi4NH+goDPmvg8+Th6VJJMhFkJyub0jvgm71r1QIVZt5+V9qRLA GAc1yUh8mGIgIotoRkUXcr0J49mnjZQ/XOcRQ/xr7nkqN8S69E/aJNjXnms6ejneVKAZ WUZuYRM3uAFaCFoD042qEgcYwA+67gH6flGG/CY+KG48GeV3eQQnBTf7oDPc/9qsUQZ1 uW8dntuSWjVaQllBvSs5AZQXszpGySEcV+ndiP72LiLV+4x6SAifs0iHt8HzCen3CpQj ybGg== X-Gm-Message-State: AOAM533cn/szx+IMAA/BZdwoEL8i7hNmk0HGylBXyUsd4UFRl5aOM8uv 28YABPjkFAla6HhNKgyUhmNdcPgABKN7sv1Te4ZjqQ== X-Received: by 2002:a25:614c:: with SMTP id v73mr15720483ybb.96.1629336046025; Wed, 18 Aug 2021 18:20:46 -0700 (PDT) MIME-Version: 1.0 References: <20210818130950.3715-1-Wentao_Liang_g@163.com> In-Reply-To: From: Saravana Kannan Date: Wed, 18 Aug 2021 18:20:10 -0700 Message-ID: Subject: Re: [PATCH] drivers:of:property.c: fix a potential double put (release) bug To: Rob Herring Cc: Wentao_Liang , Frank Rowand , devicetree@vger.kernel.org, "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 18, 2021 at 6:11 PM Saravana Kannan wrote: > > On Wed, Aug 18, 2021 at 7:07 AM Rob Herring wrote: > > > > +Saravana > > > > On Wed, Aug 18, 2021 at 8:26 AM Wentao_Liang wrote: > > > > > > In line 1423 (#1), of_link_to_phandle() is called. In the function > > > (line 1140, #2), "of_node_put(sup_np);" drops the reference to phandle > > > and may cause phandle to be released. However, after the function > > > returns, the phandle is subsequently dropped again (line 1424, #3) by > > > the same put function. Double putting the phandle can lead to an > > > incorrect reference count. > > > > > > We believe that the first put of the phandle is unnecessary (#3). We > > > can fix the above bug by removing the redundant "of_node_put()" in line > > > 1423. > > > > > > 1401 static int of_link_property(struct device_node *con_np, > > > const char *prop_name) > > > 1402 { > > > ... > > > 1409 while (!matched && s->parse_prop) { > > > ... > > > 1414 > > > 1415 while ((phandle = s->parse_prop(con_np, prop_name, i))) { > > > ... > > > //#1 phandle is dropped in this function > > > 1423 of_link_to_phandle(con_dev_np, phandle); > > > > > > 1424 //#3 the second drop to phandle > > > of_node_put(phandle); > > > > > > 1425 of_node_put(con_dev_np); > > > 1426 } > > > ... > > > 1428 } > > > 1429 return 0; > > > 1430 } > > > > > > 1095 static int of_link_to_phandle(struct device_node *con_np, > > > 1096 struct device_node *sup_np) > > > 1097 { > > > 1098 struct device *sup_dev; > > > 1099 struct device_node *tmp_np = sup_np; > > > ... > > > 1140 of_node_put(sup_np); //#2 the first drop to phandle > > > // (unnecessary) > > > 1141 > > > 1142 return 0; > > > 1143 } > > > > > > Signed-off-by: Wentao_Liang > > > --- > > > drivers/of/property.c | 1 - > > > 1 file changed, 1 deletion(-) > > > > > > diff --git a/drivers/of/property.c b/drivers/of/property.c > > > index 6c028632f425..408fdde1a20c 100644 > > > --- a/drivers/of/property.c > > > +++ b/drivers/of/property.c > > > @@ -1137,7 +1137,6 @@ static int of_link_to_phandle(struct device_node *con_np, > > > put_device(sup_dev); > > > > > > fwnode_link_add(of_fwnode_handle(con_np), of_fwnode_handle(sup_np)); > > > - of_node_put(sup_np); > > Hi Wentao, > > Thanks for noticing and reporting the bug! Your analysis is correct, > but the fix is definitely wrong. For one, the reference to the node > phandle is pointing to can be dropped in of_link_to_phandle() when it > calls of_get_compat_node(). It could also be dropped in one of the > error paths. So, now you'll be incorrectly dropping the reference for > the wrong node. Let me send out a fix and mention you as the > reporter. > I spoke too soon. I think there is no refcount problem because of_link_to_phandle() makes sure it doesn't change the ref count of any of the DT nodes passed in as input. If you see of_get_compat_node(), you'll notice that it does a of_node_get() first. So it returns a node pointer (that could be the same as the input) and it makes sure it increments that refcount for the node it's returning. And since we are doing: sup_np = of_get_compat_node(sup_np); We are ensuring that by the time of_link_phandle() returns, we haven't changed the refcount of any of the nodes. So, I don't think there's any bug here. -Saravana