Re: [PATCH] spmi: hisi-spmi-controller: manage the OF node reference in device initialization and cleanup
From: Joe Hattori
Date: Tue Dec 17 2024 - 22:43:42 EST
Thank you for your review.
On 12/17/24 19:55, Krzysztof Kozlowski wrote:
On 17/12/2024 05:26, Joe Hattori wrote:
spmi_controller_probe() increments the refcount of an OF node, but does
not release it. Instead, call of_node_get() in spmi_controller_alloc()
and release it in spmi_ctrl_release() to avoid the reference leak.
This bug was found by an experimental static analysis tool that I am
developing.
Fixes: e562cf3aea3e ("spmi: hisi-spmi-controller: move driver from staging")
Signed-off-by: Joe Hattori <joe@xxxxxxxxxxxxxxxxxxxxx>
---
drivers/spmi/hisi-spmi-controller.c | 1 -
drivers/spmi/spmi.c | 3 ++-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/spmi/hisi-spmi-controller.c b/drivers/spmi/hisi-spmi-controller.c
index 3cafdf22c909..dd21c5d1ca83 100644
--- a/drivers/spmi/hisi-spmi-controller.c
+++ b/drivers/spmi/hisi-spmi-controller.c
@@ -301,7 +301,6 @@ static int spmi_controller_probe(struct platform_device *pdev)
spin_lock_init(&spmi_controller->lock);
ctrl->dev.parent = pdev->dev.parent;
- ctrl->dev.of_node = of_node_get(pdev->dev.of_node);
/* Callbacks */
ctrl->read_cmd = spmi_read_cmd;
diff --git a/drivers/spmi/spmi.c b/drivers/spmi/spmi.c
index fb0101da1485..e662a7a78df2 100644
--- a/drivers/spmi/spmi.c
+++ b/drivers/spmi/spmi.c
@@ -36,6 +36,7 @@ static void spmi_ctrl_release(struct device *dev)
struct spmi_controller *ctrl = to_spmi_controller(dev);
ida_free(&ctrl_ida, ctrl->nr);
+ of_node_put(dev->of_node);
Aren't other drivers like PMIC arbiter overwriting this with different
value, thus basically you are dropping reference which was not obtained
and causing actual use-after-free?
Should have caught this one. It is actually storing the same OF node
pointer so it doesn't cause UAF, but is very confusing anyway. Addressed
in the v2 patch.
Best regards,
Krzysztof
Best,
Joe