Re: [PATCH 1/2] of: Add of_get_next_child_by_id()

From: Rob Herring
Date: Sun Jan 05 2025 - 15:51:51 EST

Next message: Stephen Rothwell: "linux-next: manual merge of the vfs-brauner-fixes tree with Linus' tree"
Previous message: Al Viro: "Re: [syzbot] [mptcp?] general protection fault in proc_scheduler"
In reply to: Stephen Gordon: "[PATCH 1/2] of: Add of_get_next_child_by_id()"
Next in thread: Stephen Gordon: "[PATCH 2/2] of_graph: Convert of_graph_get_next_xx to return nodes in address order"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jan 4, 2025 at 3:06 PM Stephen Gordon <gordoste@xxxxxxxxxxxx> wrote:
>
> This new function returns nodes in address order. There is also a
> corresponding for_each_child_of_node_by_id() macro.
>
> Signed-off-by: Stephen Gordon <gordoste@xxxxxxxxxxxx>
> ---
> drivers/of/base.c | 41 ++++++++++++++++++++++++++++++++++++++++-
> include/linux/of.h | 12 ++++++++++++
> 2 files changed, 52 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/of/base.c b/drivers/of/base.c
> index 7dc394255a0a..0be430b022fb 100644
> --- a/drivers/of/base.c
> +++ b/drivers/of/base.c
> @@ -623,7 +623,46 @@ static struct device_node *__of_get_next_child(const struct device_node *node,
> child = __of_get_next_child(parent, child))
>
> /**
> - * of_get_next_child - Iterate a node childs
> + * of_get_next_child_by_id - Iterate a node's children in order of id
> + * @node: parent node
> + * @prev: previous child of the parent node, or NULL to get first
> + *
> + * Return: A node pointer with refcount incremented, use of_node_put() on
> + * it when done. Returns NULL when prev is the last child. Decrements the
> + * refcount of prev.
> + */
> +struct device_node *of_get_next_child_by_id(const struct device_node *node,
> + struct device_node *prev)
> +{
> + struct device_node *next = NULL;
> + u32 next_id = U32_MAX;
> + u32 prev_id, this_id;
> + unsigned long flags;
> +
> + if (!node || !(node->child))
> + return NULL;
> +
> + if (prev)
> + of_property_read_u32(prev, "reg", &prev_id);

This should use of_property_read_reg() so that it works for different
address sizes. That however creates a dependency on CONFIG_OF_ADDRESS.
It's probably fine if this function doesn't work for
!CONFIG_OF_ADDRESS. That's just Sparc and Sparc platforms don't use OF
graph.

> +
> + for_each_child_of_node_scoped(node, child) {
> + of_property_read_u32(child, "reg", &this_id);
> + if ((!prev || (this_id > prev_id)) && this_id < next_id) {
> + next = child;
> + next_id = this_id;
> + }
> + }

The loop just did a put on next/child, so it can be freed here before
you take the lock and you have a UAF. You need to use return_ptr()
since it outlives the loop.

> +
> + raw_spin_lock_irqsave(&devtree_lock, flags);

And this lock is not needed.

> + of_node_get(next);

Nor this get since the loop did a get already.

> + of_node_put(prev);
> + raw_spin_unlock_irqrestore(&devtree_lock, flags);
> + return next;
> +}
> +EXPORT_SYMBOL(of_get_next_child_by_id);

Rob

Next message: Stephen Rothwell: "linux-next: manual merge of the vfs-brauner-fixes tree with Linus' tree"
Previous message: Al Viro: "Re: [syzbot] [mptcp?] general protection fault in proc_scheduler"
In reply to: Stephen Gordon: "[PATCH 1/2] of: Add of_get_next_child_by_id()"
Next in thread: Stephen Gordon: "[PATCH 2/2] of_graph: Convert of_graph_get_next_xx to return nodes in address order"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]