RE: question about drivers/phy/renesas/phy-rcar-gen2.c
From: Yoshihiro Shimoda
Date: Tue Feb 26 2019 - 20:06:38 EST
Hello,
> From: Julia Lawall, Sent: Tuesday, February 26, 2019 6:01 PM
>
> On Tue, 26 Feb 2019, Yoshihiro Shimoda wrote:
>
> > Hello,
> > (Sergei made this code, so I added his email as CC)
> >
> > I'm sorry for the delayed response.
> >
> > > From: Julia Lawall, Sent: Sunday, February 3, 2019 4:03 PM
> > >
> > > Hello,
> > >
> > > I was wondering whether phy-rcar-gen2.c would use dynamically allocated
> > > device nodes?
> >
> > I'm sorry, but what is "dynamically allocated device nodes"?
>
> Device nodes for which there will be a meor leak if one doesn't put
> of_node_put.
Thank you. I understood it.
> julia
>
> >
> > Best regards,
> > Yoshihiro Shimoda
> >
> > > If so, it looks like the following code could cause a
> > > use-after-free, due to not incrementing th reference count:
> > >
> > > for_each_child_of_node(dev->of_node, np) {
> > > struct rcar_gen2_channel *channel = drv->channels + i;
> > > u32 channel_num;
> > > int error, n;
> > >
> > > channel->of_node = np;
IIUC, since the channel->of_node will be used for comparing the pointer
in rcar_gen2_phy_xlate(), it is not use-after-free.
However, the for_each_child_of_node() in rcar_gen2_phy_probe() will return
without of_put_node() at error paths. So, I'll submit a bugfix patch later.
Thank you very much for your report!
Best regards,
Yoshihiro Shimoda
> > > ...
> > > }
> > >
> > > On the other hand, if the reference cound it incrememnted, preventing
> > > memory leaks in the case where the probe function fails would entail some
> > > complex rewriting of the code, so I thought it would be better to ask
> > > first.
> > >
> > > thanks,
> > > julia
> >