Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp3910400rwi;
        Sat, 22 Oct 2022 02:03:10 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM6pQ/EoOPdAY2ggEJ8jPslTLG2q638PMrEgn4LM8Y8KGZouROh1hgiiNwmjZhWVWTU/AEU5
X-Received: by 2002:a17:903:41d1:b0:184:e955:abf4 with SMTP id u17-20020a17090341d100b00184e955abf4mr23281302ple.123.1666429389937;
        Sat, 22 Oct 2022 02:03:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666429389; cv=none;
        d=google.com; s=arc-20160816;
        b=DQl8S3YvlCz3Y265816pz7xt1Vfx/aRDFh2r9KLCPG3ks5uVc8IyOosZosA694jBjt
         mFbspuG8JKG/qQsxz59uV3ZoJqvongjvOwZI77vINjSkkhZLVGVzKi096s5h31yO7DgH
         Ryr0nKFJqu4IqyYKEzdGx4uNn3Vy6aUZ2a1b32nKYG66ADVPqcckAI0HKJ72lajym1nR
         vYLfityA1HpBv6XtkifSeC3rsPiLp9fooQeapgZI3TFPZ+kgwSJH/DFY7V05bOuTOyOF
         FRIeraO1LbPoSkLD16UAeZXoP0XuqjSI+jndltevPr1be+4a8TVvP0zRkFwyKTCF7lOa
         m4Nw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=+oE0JZb+KeUDsBGWPQnlpL7ruZ/m6k8pTnDTqBWtrX4=;
        b=1BRdRnlsq7hrBlgeADxAM07t+c9HKKtwyLdWo3YiunK8D61ijeXs4DlZUOAVuMg/wB
         2ja3Uq1dHYI84gMcUbX00SJsMtQ6dXC8+rChN4hnOojg9BAb3cd4TQPpcn9gt0GlmU2X
         T7xjo4RVkUTtAkjk6pN6RHpMKyfR9fspOvE4tbcDenK7Psw+yuyEIkS+DmgUs49l135O
         eFLNEqRkJ2fWHwbCkGC6KVO2cPj3N2VLFBElaXymV2YRcIio+LX9myA7JjVwG+aNEYcN
         4luGOOFqE5QYXbRTPlLIqA/ghNuiQMMp4WmqWCxGYkti5UMYagoKFzBZ50UyjyDEPLLe
         O5Rg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=y14zJNrr;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id w11-20020a1709029a8b00b0018661a75a4fsi5630016plp.238.2022.10.22.02.02.58;
        Sat, 22 Oct 2022 02:03:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=y14zJNrr;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232956AbiJVIHj (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Sat, 22 Oct 2022 04:07:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56074 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232493AbiJVIDW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 22 Oct 2022 04:03:22 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 84F37152026;
        Sat, 22 Oct 2022 00:51:14 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id ADD69B82E18;
        Sat, 22 Oct 2022 07:50:55 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 23A95C433C1;
        Sat, 22 Oct 2022 07:50:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666425054;
        bh=c/IdW/mBpyQMgYTrCHuboL6q7PPhJdh3DFEoIvN0a1c=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=y14zJNrrt4ebpDbaeuFYMrc3wGK51fGNnydqAwd6h4fOdEshlyq33yhiZoqCewxUo
         FvbgAKx5C00qOTHnha24zw/JZvl+h5J241MoZ1X/HQNgVbGxf6n7/jeIaSQdWLC+Gv
         tHztABVnWD80uM8xjqXMnjCXLFYt+YT3fdRi9bWY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>,
        Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.19 375/717] iio: inkern: only release the device node when done with it
Date:   Sat, 22 Oct 2022 09:24:14 +0200
Message-Id: <20221022072513.751398027@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221022072415.034382448@linuxfoundation.org>
References: <20221022072415.034382448@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Nuno Sá <nuno.sa@analog.com>

[ Upstream commit 79c3e84874c7d14f04ad58313b64955a0d2e9437 ]

'of_node_put()' can potentially release the memory pointed to by
'iiospec.np' which would leave us with an invalid pointer (and we would
still pass it in 'of_xlate()'). Note that it is not guaranteed for the
of_node lifespan to be attached to the device (to which is attached)
lifespan so that there is (even though very unlikely) the possibility
for the node to be freed while the device is still around. Thus, as there
are indeed some of_xlate users which do access the node, a race is indeed
possible.

As such, we can only release the node after we are done with it.

Fixes: 17d82b47a215d ("iio: Add OF support")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20220715122903.332535-2-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/inkern.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
index df74765d33dc..9d87057794fc 100644
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -165,9 +165,10 @@ static int __of_iio_channel_get(struct iio_channel *channel,
 
 	idev = bus_find_device(&iio_bus_type, NULL, iiospec.np,
 			       iio_dev_node_match);
-	of_node_put(iiospec.np);
-	if (idev == NULL)
+	if (idev == NULL) {
+		of_node_put(iiospec.np);
 		return -EPROBE_DEFER;
+	}
 
 	indio_dev = dev_to_iio_dev(idev);
 	channel->indio_dev = indio_dev;
@@ -175,6 +176,7 @@ static int __of_iio_channel_get(struct iio_channel *channel,
 		index = indio_dev->info->of_xlate(indio_dev, &iiospec);
 	else
 		index = __of_iio_simple_xlate(indio_dev, &iiospec);
+	of_node_put(iiospec.np);
 	if (index < 0)
 		goto err_put;
 	channel->channel = &indio_dev->channels[index];
-- 
2.35.1