Re: [PATCH v7 net-next 2/8] dpll: allow registering FW-identified pin with a different DPLL

Next message: Fernando Antunez Antonio via B4 Relay: "[PATCH v2] ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 15-fh0xxx"
Previous message: Andrew Morton: "Re: [PATCH] futex: Drop CLONE_THREAD requirement for private default hash alloc"
Next in thread: Nitka, Grzegorz: "RE: [PATCH v7 net-next 2/8] dpll: allow registering FW-identified pin with a different DPLL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Sat May 02 2026 - 13:27:23 EST

On Thu, 30 Apr 2026 11:42:32 +0200 Grzegorz Nitka wrote:
> Relax the (module, clock_id) equality requirement when registering a
> pin identified by firmware (pin->fwnode). Some platforms associate a
> FW-described pin with a DPLL instance that differs from the pin's
> (module, clock_id) tuple. For such pins, permit registration without
> requiring the strict match. Non-FW pins still require equality.

AI asks what prevents the modules from disappearing:

Does this relaxed check expose pin->module to a use-after-free during
netlink queries?
If module A registers a firmware-described pin allocated by module B,
they will have different module pointers.
Because fwnode_dpll_pin_find() increases the pin's refcount but does
not take a reference to module B via try_module_get(), it appears module B
could be unloaded while module A still holds an active reference to the pin.
When module B unloads, its struct module memory is freed, leaving
pin->module as a dangling pointer.
A subsequent user-space Netlink query using DPLL_CMD_PIN_GET iterates over
the registered pins and calls nla_put_string() with module_name(pin->module),
which would dereference the freed module memory.