Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp848736rwi;
        Wed, 19 Oct 2022 03:51:35 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM63HqoBfMdk0SznHPJZuP1yRMrJaWlooaGzkS7dVKP3GbxfEvAE3szuJkng3RMW8JjeiIma
X-Received: by 2002:a17:907:94c7:b0:78e:1c4f:51f9 with SMTP id dn7-20020a17090794c700b0078e1c4f51f9mr6424525ejc.200.1666176694845;
        Wed, 19 Oct 2022 03:51:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666176694; cv=none;
        d=google.com; s=arc-20160816;
        b=DFtq79CFpOL/qnoSuv26thGywudfOQqJacyyo49aDSGTkSJqyo2ECimxo2TKWSzeKI
         jPs8omHcRL3TeJL3loS+/zKFHNXB1XGtsWMuZ7Tfmac46dqOX/m2SH5465hli6MDO6HN
         7Gi/NFJJRQs/6bDy+NYM5xEvsSQld33wS0sEnfwYWLeO/DX5M/Ed0o9uy59ZYffNomM/
         py4w7YYGTYIEcxgPbJ0rbavP0Nw+r5ANjxrXg6KmwMJofWujUaM6ln+w3Al4lHgh5/BB
         xXbFsAXe1f9t8vz5ojW2v1fpFdk/DV7r8omK54zO160g830baiH+h0g9NU6zEDrssWtp
         SKNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=+oE0JZb+KeUDsBGWPQnlpL7ruZ/m6k8pTnDTqBWtrX4=;
        b=yOuCfMSKjSxVdpGu3RaZwMcMF/H44vx1u5koZsUMqx8jufkQt2lhAdynl645iGd/DH
         WoY0o015SQdkFgLO9vlByO2iQeC0/xi4NCaifMAIGd8ltBmpyWje/jKVoEJMS55swo5K
         ejvyDjsn4achQEZMyoHucXOGo1hEyyYhelcJt2ZY45I3Hgeqer3HvCrnDUy4GoDGh6r9
         LUoohR3VG2BaYCJ/oU4uplfVUylRmxmeZJOBwMMRMC/zrrQJqVjNznPSAKsrJQg08tbH
         b5GOKR8tm4Xk1K/eNdAJAJa5ZB3pFyynfYyHZOTQf1VvL8BLf7qRfTk4uvMyQrQSSgXZ
         iQuQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="Xy/xkDbQ";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id q18-20020a056402519200b004597671e0ddsi13413675edd.338.2022.10.19.03.51.09;
        Wed, 19 Oct 2022 03:51:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="Xy/xkDbQ";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234446AbiJSKtH (ORCPT <rfc822;artur.folwarczny@gmail.com>
        + 99 others); Wed, 19 Oct 2022 06:49:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46162 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232505AbiJSKrC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Oct 2022 06:47:02 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 240FB56B8C;
        Wed, 19 Oct 2022 03:21:41 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 3C3BBB8243D;
        Wed, 19 Oct 2022 08:58:46 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9824FC433D7;
        Wed, 19 Oct 2022 08:58:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666169925;
        bh=c/IdW/mBpyQMgYTrCHuboL6q7PPhJdh3DFEoIvN0a1c=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Xy/xkDbQhApQTknTYeA29fYf8X5Wj+QnGRvGW79+Pp/kF3JMKAx1UIqCDvCXpe9I7
         p+yeShW2ZJeYifDi9Ve9GIZtFWrkq+ZbBh0IZVun+vK9YfnpzqrB7Zu2eJyjZ9YLaM
         pqEtEiczSXsKJfQHCX40ECITd1VzbIIPG7Xg1pDg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>,
        Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.0 461/862] iio: inkern: only release the device node when done with it
Date:   Wed, 19 Oct 2022 10:29:08 +0200
Message-Id: <20221019083310.368297100@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221019083249.951566199@linuxfoundation.org>
References: <20221019083249.951566199@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Nuno Sá <nuno.sa@analog.com>

[ Upstream commit 79c3e84874c7d14f04ad58313b64955a0d2e9437 ]

'of_node_put()' can potentially release the memory pointed to by
'iiospec.np' which would leave us with an invalid pointer (and we would
still pass it in 'of_xlate()'). Note that it is not guaranteed for the
of_node lifespan to be attached to the device (to which is attached)
lifespan so that there is (even though very unlikely) the possibility
for the node to be freed while the device is still around. Thus, as there
are indeed some of_xlate users which do access the node, a race is indeed
possible.

As such, we can only release the node after we are done with it.

Fixes: 17d82b47a215d ("iio: Add OF support")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20220715122903.332535-2-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/inkern.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
index df74765d33dc..9d87057794fc 100644
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -165,9 +165,10 @@ static int __of_iio_channel_get(struct iio_channel *channel,
 
 	idev = bus_find_device(&iio_bus_type, NULL, iiospec.np,
 			       iio_dev_node_match);
-	of_node_put(iiospec.np);
-	if (idev == NULL)
+	if (idev == NULL) {
+		of_node_put(iiospec.np);
 		return -EPROBE_DEFER;
+	}
 
 	indio_dev = dev_to_iio_dev(idev);
 	channel->indio_dev = indio_dev;
@@ -175,6 +176,7 @@ static int __of_iio_channel_get(struct iio_channel *channel,
 		index = indio_dev->info->of_xlate(indio_dev, &iiospec);
 	else
 		index = __of_iio_simple_xlate(indio_dev, &iiospec);
+	of_node_put(iiospec.np);
 	if (index < 0)
 		goto err_put;
 	channel->channel = &indio_dev->channels[index];
-- 
2.35.1