From: Danilo Krummrich <dakr@kernel.org>
To: Saravana Kannan <saravanak@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Ulf Hansson <ulf.hansson@linaro.org>,
Stephen Boyd <sboyd@kernel.org>,
linux-pm@vger.kernel.org,
"Rafael J . Wysocki" <rafael@kernel.org>,
Michael Grzeschik <m.grzeschik@pengutronix.de>,
Bjorn Andersson <andersson@kernel.org>,
Abel Vesa <abel.vesa@linaro.org>, Peng Fan <peng.fan@oss.nxp.com>,
Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>,
Johan Hovold <johan@kernel.org>,
Maulik Shah <maulik.shah@oss.qualcomm.com>,
Michal Simek <michal.simek@amd.com>,
Konrad Dybcio <konradybcio@kernel.org>,
Thierry Reding <thierry.reding@gmail.com>,
Jonathan Hunter <jonathanh@nvidia.com>,
Hiago De Franco <hiago.franco@toradex.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 17/24] driver core: Export get_dev_from_fwnode()
Date: Wed, 2 Jul 2025 23:55:12 +0200 [thread overview]
Message-ID: <aGWqwNXy1AcCGf97@pollux> (raw)
In-Reply-To: <CAGETcx_yVXgvmbDFYe+Nbdp18D-m14W8xO_G9RyAujpag+M9ow@mail.gmail.com>
On Wed, Jul 02, 2025 at 02:34:04PM -0700, Saravana Kannan wrote:
> On Wed, Jul 2, 2025 at 12:26 PM Danilo Krummrich <dakr@kernel.org> wrote:
> >
> > On Wed, Jul 02, 2025 at 09:34:12AM +0200, Greg Kroah-Hartman wrote:
> > > On Tue, Jul 01, 2025 at 01:47:19PM +0200, Ulf Hansson wrote:
> > > > It has turned out get_dev_from_fwnode() is useful at a few other places
> > > > outside of the driver core, as in gpiolib.c for example. Therefore let's
> > > > make it available as a common helper function.
> > > >
> > > > Suggested-by: Saravana Kannan <saravanak@google.com>
> > > > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > > Tested-by: Hiago De Franco <hiago.franco@toradex.com> # Colibri iMX8X
> > > > Tested-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> # TI AM62A,Xilinx ZynqMP ZCU106
> > > > Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
> > > > ---
> > > > drivers/base/core.c | 8 ++++++--
> > > > include/linux/device.h | 1 +
> > > > 2 files changed, 7 insertions(+), 2 deletions(-)
> > > >
> > >
> > > Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > I'm a bit concerned about exporting get_dev_from_fwnode() -- at least without a
> > clear note on that this helper should be used with caution.
> >
> > AFAIK, a struct fwnode_handle instance does not have a reference count for its
> > struct device pointer.
> >
> > Hence, calling get_dev_from_fwnode() with a valid fwnode handle is not enough.
>
> Not enough for what?
Having a valid pointer to a fwnode does not guarantee that fwnode->dev is a
valid pointer. Given that fwnode is reference counted itself, but only has a
weak reference of the device behind fwnode->dev, the device may have been
released already.
If the scope this function is called from can't guarantee that fwnode->dev has
not been released yet, it's a potential UAF.
Yes, device_del() sets dev->fwnode->dev = NULL. But that makes it still racy.
If someone has a reference count on the fwnode and calls get_dev_from_fwnode()
while device_del() runs concurrently (assuming that device_del() drops the last
reference of the device), it's a race with a potential UAF.
We should warn about this, when makeing get_dev_from_fwnode() and API that can
be used by *everyone*.
- Danilo
next prev parent reply other threads:[~2025-07-02 22:04 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-01 11:47 [PATCH v3 00/24] pmdomain: Add generic ->sync_state() support to genpd Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 01/24] pmdomain: renesas: rcar-sysc: Add genpd OF provider at postcore_initcall Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 02/24] pmdomain: renesas: rmobile-sysc: Move init to postcore_initcall Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 03/24] pmdomain: renesas: rcar-gen4-sysc: " Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 04/24] pmdomain: core: Prevent registering devices before the bus Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 05/24] pmdomain: core: Add a bus and a driver for genpd providers Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 06/24] pmdomain: core: Add the genpd->dev to the genpd provider bus Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 07/24] pmdomain: core: Export a common ->sync_state() helper for genpd providers Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 08/24] pmdomain: core: Prepare to add the common ->sync_state() support Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 09/24] soc/tegra: pmc: Opt-out from genpd's " Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 10/24] cpuidle: psci: " Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 11/24] cpuidle: riscv-sbi: " Ulf Hansson
2025-07-01 11:47 ` Ulf Hansson
2025-07-04 10:14 ` Rahul Pathak
2025-07-04 10:14 ` Rahul Pathak
2025-07-07 9:36 ` Anup Patel
2025-07-07 9:36 ` Anup Patel
2025-08-10 21:12 ` patchwork-bot+linux-riscv
2025-08-10 21:12 ` patchwork-bot+linux-riscv
2025-07-01 11:47 ` [PATCH v3 12/24] pmdomain: qcom: rpmpd: Use of_genpd_sync_state() Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 13/24] pmdomain: qcom: rpmhpd: " Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 14/24] firmware/pmdomain: xilinx: Move ->sync_state() support to firmware driver Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 15/24] firmware: xilinx: Don't share zynqmp_pm_init_finalize() Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 16/24] firmware: xilinx: Use of_genpd_sync_state() Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 17/24] driver core: Export get_dev_from_fwnode() Ulf Hansson
2025-07-02 7:34 ` Greg Kroah-Hartman
2025-07-02 19:26 ` Danilo Krummrich
2025-07-02 21:34 ` Saravana Kannan
2025-07-02 21:55 ` Danilo Krummrich [this message]
2025-07-01 11:47 ` [PATCH v3 18/24] pmdomain: core: Add common ->sync_state() support for genpd providers Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 19/24] driver core: Add dev_set_drv_sync_state() Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 20/24] pmdomain: core: Default to use of_genpd_sync_state() for genpd providers Ulf Hansson
2025-07-31 15:07 ` Jon Hunter
2025-08-11 12:11 ` Ulf Hansson
2025-09-03 12:33 ` Jon Hunter
2025-09-24 11:40 ` Jon Hunter
2025-09-24 15:53 ` Ulf Hansson
2025-09-25 9:34 ` Jon Hunter
2025-09-25 22:31 ` Saravana Kannan
2025-09-26 15:32 ` Jon Hunter
2025-09-30 11:33 ` Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 21/24] pmdomain: core: Leave powered-on genpds on until late_initcall_sync Ulf Hansson
2025-07-10 12:26 ` Marek Szyprowski
2025-07-10 14:54 ` Ulf Hansson
2025-07-15 10:28 ` Jon Hunter
2025-07-15 11:32 ` Ulf Hansson
2025-07-15 11:34 ` Ulf Hansson
2025-07-31 12:53 ` Jon Hunter
2025-07-01 11:47 ` [PATCH v3 22/24] pmdomain: core: Leave powered-on genpds on until sync_state Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 23/24] cpuidle: psci: Drop redundant sync_state support Ulf Hansson
2025-07-01 11:47 ` [PATCH v3 24/24] cpuidle: riscv-sbi: " Ulf Hansson
2025-07-01 11:47 ` Ulf Hansson
2025-07-04 10:39 ` Rahul Pathak
2025-07-04 10:39 ` Rahul Pathak
2025-07-07 9:38 ` Anup Patel
2025-07-07 9:38 ` Anup Patel
2025-07-09 11:30 ` [PATCH v3 00/24] pmdomain: Add generic ->sync_state() support to genpd Ulf Hansson
2025-07-15 8:50 ` Danilo Krummrich
2025-07-16 12:46 ` Ulf Hansson
2025-07-16 13:08 ` Danilo Krummrich
2025-07-30 9:56 ` Geert Uytterhoeven
2025-07-30 10:29 ` Ulf Hansson
2025-08-07 9:38 ` Geert Uytterhoeven
2025-08-12 10:00 ` Ulf Hansson
2025-08-13 11:58 ` Geert Uytterhoeven
2025-08-14 15:49 ` Ulf Hansson
2025-09-04 12:41 ` Geert Uytterhoeven
2025-09-04 15:44 ` Ulf Hansson
2025-09-05 7:49 ` Geert Uytterhoeven
2025-09-05 11:09 ` Ulf Hansson
2025-09-09 7:19 ` Geert Uytterhoeven
2025-09-25 22:41 ` Saravana Kannan
2025-09-26 6:57 ` Geert Uytterhoeven
2025-09-26 12:23 ` Ulf Hansson
2025-09-29 7:53 ` Geert Uytterhoeven
2025-08-13 12:04 ` Geert Uytterhoeven
2025-09-03 7:39 ` Sebin Francis
2025-09-03 10:33 ` Ulf Hansson
2025-09-04 12:32 ` Diederik de Haas
2025-09-04 12:32 ` Diederik de Haas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGWqwNXy1AcCGf97@pollux \
--to=dakr@kernel.org \
--cc=abel.vesa@linaro.org \
--cc=andersson@kernel.org \
--cc=geert@linux-m68k.org \
--cc=gregkh@linuxfoundation.org \
--cc=hiago.franco@toradex.com \
--cc=johan@kernel.org \
--cc=jonathanh@nvidia.com \
--cc=konradybcio@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=m.grzeschik@pengutronix.de \
--cc=maulik.shah@oss.qualcomm.com \
--cc=michal.simek@amd.com \
--cc=peng.fan@oss.nxp.com \
--cc=rafael@kernel.org \
--cc=saravanak@google.com \
--cc=sboyd@kernel.org \
--cc=thierry.reding@gmail.com \
--cc=tomi.valkeinen@ideasonboard.com \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.