From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Pei Xiao <xiaopei01@kylinos.cn>,
Guenter Roeck <linux@roeck-us.net>,
Sasha Levin <sashal@kernel.org>,
linux-hwmon@vger.kernel.org
Subject: [PATCH AUTOSEL 6.18-6.17] hwmon: (emc2305) fix double put in emc2305_probe_childs_from_dt
Date: Thu, 11 Dec 2025 21:08:55 -0500 [thread overview]
Message-ID: <20251212020903.4153935-3-sashal@kernel.org> (raw)
In-Reply-To: <20251212020903.4153935-1-sashal@kernel.org>
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit 541dfb49dcb80c2509e030842de77adfb77820f5 ]
./drivers/hwmon/emc2305.c:597:4-15: ERROR: probable double put
Device node iterators put the previous value of the index variable, so an
explicit put causes a double put.
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://lore.kernel.org/r/tencent_CD373F952BE48697C949E39CB5EB77841D06@qq.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
## Analysis Summary
### What the Bug Is
This commit fixes a **double reference count decrement (double put)** on
a device_node structure in the `emc2305_probe_childs_from_dt()`
function.
**Technical explanation:**
1. The `for_each_child_of_node()` macro uses `of_get_next_child()`
internally for iteration
2. As confirmed in the kernel documentation, `of_get_next_child()`
"**Decrements the refcount of prev**" automatically when advancing to
the next child
3. The buggy code explicitly calls `of_node_put(child)` before
`continue`
4. When the loop continues, `of_get_next_child()` decrements the
refcount again → **double put**
**Impact:** Double put causes reference count underflow which can lead
to:
- Use-after-free vulnerabilities
- Memory corruption
- Kernel crashes/instability
### Stable Tree Criteria Evaluation
| Criteria | Met? | Details |
|----------|------|---------|
| Obviously correct | ✅ | Standard DT iterator pattern fix |
| Fixes real bug | ✅ | Reference counting bug confirmed |
| Important issue | ✅ | Potential UAF/memory corruption |
| Small and contained | ✅ | Removes 4 lines in one function |
| No new features | ✅ | Pure bug fix |
| Tested | ✅ | Signed-off by hwmon maintainer |
### Risk Assessment
- **Risk**: Very low - the fix simply removes incorrect `of_node_put()`
calls
- **Scope**: Single function, single driver (emc2305 hwmon)
- **Backport complexity**: None - straightforward removal of lines
### Version Analysis
The buggy code was introduced in commit `2ed4db7a1d07b` which first
appeared in **v6.17-rc1**. This means:
- Only kernels 6.17+ have this bug
- Older stable trees (6.12.y, 6.6.y, 6.1.y, etc.) do **NOT** have this
code
### Concerns
- No explicit "Cc: stable@vger.kernel.org" tag
- No "Fixes:" tag pointing to the introducing commit
- However, the bug and fix are clearly documented and understood
### Verdict
This is a legitimate bug fix that corrects an obvious reference counting
error. The fix is:
- Trivially correct (well-known DT iterator pattern)
- Very low risk
- Fixes a real bug that can cause memory corruption
While the affected code only exists in 6.17+, this is still a valid
stable backport candidate for the 6.17.y stable branch and should be
backported to ensure stable users don't hit this reference counting bug.
**YES**
drivers/hwmon/emc2305.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/hwmon/emc2305.c b/drivers/hwmon/emc2305.c
index 84cb9b72cb6c2..ceae96c07ac45 100644
--- a/drivers/hwmon/emc2305.c
+++ b/drivers/hwmon/emc2305.c
@@ -593,10 +593,8 @@ static int emc2305_probe_childs_from_dt(struct device *dev)
for_each_child_of_node(dev->of_node, child) {
if (of_property_present(child, "reg")) {
ret = emc2305_of_parse_pwm_child(dev, child, data);
- if (ret) {
- of_node_put(child);
+ if (ret)
continue;
- }
count++;
}
}
--
2.51.0
next prev parent reply other threads:[~2025-12-12 2:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-12 2:08 [PATCH AUTOSEL 6.18-5.15] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Sasha Levin
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-5.10] nvme-fc: don't hold rport lock when putting ctrl Sasha Levin
2025-12-12 2:08 ` Sasha Levin [this message]
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-6.17] platform/x86: wmi-gamezone: Add Legion Go 2 Quirks Sasha Levin
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-6.17] hwmon: (emc2305) fix device node refcount leak in error path Sasha Levin
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-6.12] nvme-fabrics: add ENOKEY to no retry criteria for authentication failures Sasha Levin
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-6.6] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware Sasha Levin
2025-12-12 2:09 ` [PATCH AUTOSEL 6.18-6.6] MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251212020903.4153935-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=xiaopei01@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.