Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp7359110rwi;
        Mon, 24 Oct 2022 13:30:23 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM7Leu1h47rDv/MNFQS9Jr1O+g1l5PwMXVT1Sfu6GklJx582Fws4n7nlUzRwRcqrcn/dPysa
X-Received: by 2002:a05:6402:5ca:b0:43b:6e01:482c with SMTP id n10-20020a05640205ca00b0043b6e01482cmr33042855edx.189.1666643422822;
        Mon, 24 Oct 2022 13:30:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666643422; cv=none;
        d=google.com; s=arc-20160816;
        b=h8qisRWiT5jzQQxYmG+AN/nBhRYGvsz4No/gFlRW2IBWcqlQDYF/FiBcuW79l2h2CF
         7HCp1UjWxzhfHUc0Ki7VXkGXZXC3wPVMJXxDK5d8d6cqJSpd5tpnpvAoDUQWaKmUVnJ3
         AjLqilspzSJhJGXEWnKeBi6+7FSkL8ZiUC3pZr8dgfqlkt+t4a4HMqScPtLMCUuwWK5V
         n9pS56+17/4P7P30jvHU8A2Gmlwb4yTj/LpoxJGREiNHOni2xT7Nam5QQUJ6bEKi5iEM
         Eibqs7lxKFdCFVR7//atF5cPhLlUSJPdWRSUpxO/JRvwFDExjVzWycA0L8y7chsUg5r4
         iaoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=5Zle8COdzCJX30YfTr9FVTIPtRGfrI3pBgxn+UqiWB4=;
        b=FtFlA0QE2uxrqPqJyClgrC99nwUgXe4GWWgs3QeoVvLxpmZbbJlCg4cwLg+AyJe/lU
         S0aPbhjgirDTQ2lwv3CJE+bBJ1YgwQx+VuqAhQdRoF3oW6+rEmiurTbIJHXx2VUe2sUP
         XK4maZUQ+2QFDhB8ZguV1pv172JDdV1eVK+0YnhN1AbrfnxOjpXt7/CBKBXw1pMku9ym
         V+PcGHWeHRPR1AaQTQ6WPymFWb+2W6Z4yQ8LkJwWqIsL0KWuh3OMer1D4Be9YCXQj1Wi
         4hAWJXSeszN7J0PMZOWLTvM0J/FLp8JCvJkPRnCOT2ZgMwkLh0Ancs1DZxylQjdakqBO
         Pnlg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JEFwOldW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id gt15-20020a1709072d8f00b0073daf6b44a5si755698ejc.775.2022.10.24.13.29.58;
        Mon, 24 Oct 2022 13:30:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=JEFwOldW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232213AbiJXTkQ (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Mon, 24 Oct 2022 15:40:16 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42658 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231175AbiJXTji (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Oct 2022 15:39:38 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A9F53ACF75;
        Mon, 24 Oct 2022 11:10:10 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 782C9B819D3;
        Mon, 24 Oct 2022 12:46:01 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D55F9C433C1;
        Mon, 24 Oct 2022 12:45:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666615560;
        bh=rQGucdkySq2WMq3kFBntMCiI+Qpd05wuRtGqBbG1zMA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=JEFwOldW+k82vELXE4lZSbcrWX1k2Xk1UswH+WrV/fLlD2+WF2m09QnehtHtEbTi2
         tPP4Th81xzeZcVIsh5VnDoc+H1UffSZZuTuOsUef/CrZdWRyEzEkdGDJBDQS4LNwdP
         bN14wS89E9JQIEXCyqNOG+0ergCC65n+GR8uIUUg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>,
        Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 268/530] iio: inkern: only release the device node when done with it
Date:   Mon, 24 Oct 2022 13:30:12 +0200
Message-Id: <20221024113057.192502132@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221024113044.976326639@linuxfoundation.org>
References: <20221024113044.976326639@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Nuno Sá <nuno.sa@analog.com>

[ Upstream commit 79c3e84874c7d14f04ad58313b64955a0d2e9437 ]

'of_node_put()' can potentially release the memory pointed to by
'iiospec.np' which would leave us with an invalid pointer (and we would
still pass it in 'of_xlate()'). Note that it is not guaranteed for the
of_node lifespan to be attached to the device (to which is attached)
lifespan so that there is (even though very unlikely) the possibility
for the node to be freed while the device is still around. Thus, as there
are indeed some of_xlate users which do access the node, a race is indeed
possible.

As such, we can only release the node after we are done with it.

Fixes: 17d82b47a215d ("iio: Add OF support")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20220715122903.332535-2-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/inkern.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
index b5966365d769..30a8ecb692f8 100644
--- a/drivers/iio/inkern.c
+++ b/drivers/iio/inkern.c
@@ -148,9 +148,10 @@ static int __of_iio_channel_get(struct iio_channel *channel,
 
 	idev = bus_find_device(&iio_bus_type, NULL, iiospec.np,
 			       iio_dev_node_match);
-	of_node_put(iiospec.np);
-	if (idev == NULL)
+	if (idev == NULL) {
+		of_node_put(iiospec.np);
 		return -EPROBE_DEFER;
+	}
 
 	indio_dev = dev_to_iio_dev(idev);
 	channel->indio_dev = indio_dev;
@@ -158,6 +159,7 @@ static int __of_iio_channel_get(struct iio_channel *channel,
 		index = indio_dev->info->of_xlate(indio_dev, &iiospec);
 	else
 		index = __of_iio_simple_xlate(indio_dev, &iiospec);
+	of_node_put(iiospec.np);
 	if (index < 0)
 		goto err_put;
 	channel->channel = &indio_dev->channels[index];
-- 
2.35.1