From: sashiko-bot@kernel.org
To: "Akhil R" <akhilrajeev@nvidia.com>
Cc: devicetree@vger.kernel.org, Frank.Li@kernel.org,
linux-i3c@lists.infradead.org, conor+dt@kernel.org,
robh@kernel.org, linux-hwmon@vger.kernel.org
Subject: Re: [PATCH v4 02/12] i3c: master: Use unified device property interface
Date: Tue, 16 Jun 2026 10:17:08 +0000 [thread overview]
Message-ID: <20260616101709.1B2BD1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260616095429.3947205-3-akhilrajeev@nvidia.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Medium] Permanent leak of firmware node references in I2C and I3C boardinfo structures.
Pre-existing issues:
- [High] Dangling pointer `desc->dev` causes Use-After-Free on device unregistration if device_register() fails.
--
commit 89419216775e33fb2b850943aa4a2781f19278a1
Author: Akhil R <akhilrajeev@nvidia.com>
i3c: master: Use unified device property interface
Replace all OF-specific functions with unified device property functions
as a prerequisite to support both ACPI and device tree.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index 109aa50eb1f8f..3b19a5e8f46d0 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
[ ... ]
> @@ -1902,7 +1904,8 @@ i3c_master_register_new_i3c_devs(struct i3c_master_controller *master)
> desc->info.pid);
>
> if (desc->boardinfo)
> - desc->dev->dev.of_node = desc->boardinfo->of_node;
> + device_set_node(&desc->dev->dev,
> + fwnode_handle_get(desc->boardinfo->fwnode));
>
> ret = device_register(&desc->dev->dev);
> if (ret) {
[Severity: High]
This is a pre-existing issue, but can this error path cause a use-after-free
and double-free?
If device_register() fails, put_device() is called which frees the memory
backing desc->dev, but the desc->dev pointer is not set to NULL.
Later during cleanup, the dangling pointer bypasses the NULL check:
i3c_master_unregister_i3c_devs() {
...
if (!i3cdev->dev)
continue;
i3cdev->dev->desc = NULL;
...
}
Does desc->dev need to be set to NULL after put_device() to prevent this?
[ ... ]
> @@ -2623,14 +2630,14 @@ of_i3c_master_add_i2c_boardinfo(struct i3c_master_controller *master,
> boardinfo->lvr = reg[2];
>
> list_add_tail(&boardinfo->node, &master->boardinfo.i2c);
> - of_node_get(node);
> + fwnode_handle_get(fwnode);
>
> return 0;
> }
[Severity: Medium]
Does this code leak the fwnode reference?
The result of fwnode_handle_get() is completely discarded. Since
i2c_new_client_device() separately takes and drops its own fwnode reference,
does this initial reference remain unreleased?
[ ... ]
> @@ -2670,14 +2677,14 @@ of_i3c_master_add_i3c_boardinfo(struct i3c_master_controller *master,
> return -EINVAL;
>
> boardinfo->init_dyn_addr = init_dyn_addr;
> - boardinfo->of_node = of_node_get(node);
> + boardinfo->fwnode = fwnode_handle_get(fwnode);
> list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
>
> return 0;
> }
[Severity: Medium]
Does this also leak the fwnode reference?
The reference is acquired and stored in the devres-managed boardinfo
structure, but there seems to be no teardown logic for the master->boardinfo
lists to drop it before devres frees them.
As seen earlier in i3c_master_register_new_i3c_devs():
device_set_node(&desc->dev->dev, fwnode_handle_get(desc->boardinfo->fwnode));
A second reference is taken there which is properly dropped by
i3c_device_release(), but does the first reference stored in
boardinfo->fwnode remain stranded?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616095429.3947205-1-akhilrajeev@nvidia.com?part=2
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
WARNING: multiple messages have this Message-ID (diff)
From: sashiko-bot@kernel.org
To: "Akhil R" <akhilrajeev@nvidia.com>
Cc: devicetree@vger.kernel.org, Frank.Li@kernel.org,
linux-i3c@lists.infradead.org, conor+dt@kernel.org,
robh@kernel.org, linux-hwmon@vger.kernel.org
Subject: Re: [PATCH v4 02/12] i3c: master: Use unified device property interface
Date: Tue, 16 Jun 2026 10:17:08 +0000 [thread overview]
Message-ID: <20260616101709.1B2BD1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260616095429.3947205-3-akhilrajeev@nvidia.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Medium] Permanent leak of firmware node references in I2C and I3C boardinfo structures.
Pre-existing issues:
- [High] Dangling pointer `desc->dev` causes Use-After-Free on device unregistration if device_register() fails.
--
commit 89419216775e33fb2b850943aa4a2781f19278a1
Author: Akhil R <akhilrajeev@nvidia.com>
i3c: master: Use unified device property interface
Replace all OF-specific functions with unified device property functions
as a prerequisite to support both ACPI and device tree.
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index 109aa50eb1f8f..3b19a5e8f46d0 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
[ ... ]
> @@ -1902,7 +1904,8 @@ i3c_master_register_new_i3c_devs(struct i3c_master_controller *master)
> desc->info.pid);
>
> if (desc->boardinfo)
> - desc->dev->dev.of_node = desc->boardinfo->of_node;
> + device_set_node(&desc->dev->dev,
> + fwnode_handle_get(desc->boardinfo->fwnode));
>
> ret = device_register(&desc->dev->dev);
> if (ret) {
[Severity: High]
This is a pre-existing issue, but can this error path cause a use-after-free
and double-free?
If device_register() fails, put_device() is called which frees the memory
backing desc->dev, but the desc->dev pointer is not set to NULL.
Later during cleanup, the dangling pointer bypasses the NULL check:
i3c_master_unregister_i3c_devs() {
...
if (!i3cdev->dev)
continue;
i3cdev->dev->desc = NULL;
...
}
Does desc->dev need to be set to NULL after put_device() to prevent this?
[ ... ]
> @@ -2623,14 +2630,14 @@ of_i3c_master_add_i2c_boardinfo(struct i3c_master_controller *master,
> boardinfo->lvr = reg[2];
>
> list_add_tail(&boardinfo->node, &master->boardinfo.i2c);
> - of_node_get(node);
> + fwnode_handle_get(fwnode);
>
> return 0;
> }
[Severity: Medium]
Does this code leak the fwnode reference?
The result of fwnode_handle_get() is completely discarded. Since
i2c_new_client_device() separately takes and drops its own fwnode reference,
does this initial reference remain unreleased?
[ ... ]
> @@ -2670,14 +2677,14 @@ of_i3c_master_add_i3c_boardinfo(struct i3c_master_controller *master,
> return -EINVAL;
>
> boardinfo->init_dyn_addr = init_dyn_addr;
> - boardinfo->of_node = of_node_get(node);
> + boardinfo->fwnode = fwnode_handle_get(fwnode);
> list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
>
> return 0;
> }
[Severity: Medium]
Does this also leak the fwnode reference?
The reference is acquired and stored in the devres-managed boardinfo
structure, but there seems to be no teardown logic for the master->boardinfo
lists to drop it before devres frees them.
As seen earlier in i3c_master_register_new_i3c_devs():
device_set_node(&desc->dev->dev, fwnode_handle_get(desc->boardinfo->fwnode));
A second reference is taken there which is properly dropped by
i3c_device_release(), but does the first reference stored in
boardinfo->fwnode remain stranded?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616095429.3947205-1-akhilrajeev@nvidia.com?part=2
next prev parent reply other threads:[~2026-06-16 10:17 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 9:54 [PATCH v4 00/12] Support ACPI and SETAASA device discovery Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 9:54 ` [PATCH v4 01/12] dt-bindings: i3c: Add mipi-i3c-static-method to support SETAASA Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:04 ` sashiko-bot
2026-06-16 10:04 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 02/12] i3c: master: Use unified device property interface Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:17 ` sashiko-bot [this message]
2026-06-16 10:17 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 03/12] i3c: master: Support ACPI enumeration of child devices Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:15 ` sashiko-bot
2026-06-16 10:15 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 04/12] i3c: master: Add support for devices using SETAASA Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:19 ` sashiko-bot
2026-06-16 10:19 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 05/12] i3c: master: Add support for devices without PID Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:17 ` sashiko-bot
2026-06-16 10:17 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 06/12] i3c: master: match I3C device through DT and ACPI Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:12 ` sashiko-bot
2026-06-16 10:12 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 07/12] i3c: dw-i3c-master: Add SETAASA as supported CCC Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:13 ` sashiko-bot
2026-06-16 10:13 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 08/12] i3c: dw-i3c-master: Add a quirk to skip clock and reset Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:14 ` sashiko-bot
2026-06-16 10:14 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 09/12] i3c: dw-i3c-master: Add ACPI ID for Tegra410 Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:09 ` sashiko-bot
2026-06-16 10:09 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 10/12] hwmon: spd5118: Remove 16-bit addressing Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:09 ` sashiko-bot
2026-06-16 10:09 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 11/12] hwmon: spd5118: Add I3C support Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:30 ` sashiko-bot
2026-06-16 10:30 ` sashiko-bot
2026-06-16 9:54 ` [PATCH v4 12/12] arm64: defconfig: Enable I3C and SPD5118 hwmon Akhil R
2026-06-16 9:54 ` Akhil R
2026-06-16 10:10 ` sashiko-bot
2026-06-16 10:10 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616101709.1B2BD1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=akhilrajeev@nvidia.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=linux-i3c@lists.infradead.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.