From: Shuhao Fu <sfual@cse.ust.hk>
To: Frank Li <Frank.li@nxp.com>
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>,
linux-i3c@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] i3c: fix refcount inconsistency in i3c_master_register
Date: Tue, 14 Oct 2025 09:55:26 +0800 [thread overview]
Message-ID: <aO2tjp_FsV_WohPG@osx.local> (raw)
In-Reply-To: <aO12r9v4xaJKHUQs@lizhi-Precision-Tower-5810>
On Mon, Oct 13, 2025 at 06:01:19PM -0400, Frank Li wrote:
> On Tue, Oct 14, 2025 at 05:09:53AM +0800, Shuhao Fu wrote:
> > On Mon, Oct 13, 2025 at 04:19:00PM -0400, Frank Li wrote:
> > > On Fri, Oct 10, 2025 at 02:34:08PM +0800, Shuhao Fu wrote:
> > > > On Thu, Oct 09, 2025 at 12:17:11PM -0400, Frank Li wrote:
> > > > > On Wed, Oct 08, 2025 at 03:27:09PM +0800, Shuhao Fu wrote:
> > > > > > In `i3c_master_register`, a possible refcount inconsistency has been
> > > > > > identified, causing possible resource leak.
> > > > > >
> > > > > > Function `of_node_get` increases the refcount of `parent->of_node`. If
> > > > > > function `i3c_bus_init` fails, the function returns immediately without
> > > > > > a corresponding decrease, resulting in an inconsistent refcounter.
> > > > > >
> > > > > > In this patch, an extra goto label is added to ensure the balance of
> > > > > > refcount when `i3c_bus_init` fails.
> > > > > >
> > > > > > Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
> > > > > > Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
> > > > > > ---
> > > > > > drivers/i3c/master.c | 5 ++++-
> > > > > > 1 file changed, 4 insertions(+), 1 deletion(-)
> > > > > >
> > > > > > diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> > > > > > index d946db75d..9f4fe98d2 100644
> > > > > > --- a/drivers/i3c/master.c
> > > > > > +++ b/drivers/i3c/master.c
> > > > > > @@ -2885,7 +2885,7 @@ int i3c_master_register(struct i3c_master_controller *master,
> > > > > >
> > > > > > ret = i3c_bus_init(i3cbus, master->dev.of_node);
> > > > > > if (ret)
> > > > > > - return ret;
> > > > > > + goto err_put_of_node;
> > > > >
> > > > > I think it'd better to set release function for master dev to release
> > > > > of_node because of_node_put() also missed at i3c_master_unregister()
> > > > >
> > > > > you can refer drivers/base/platform.c
> > > > >
> > > > > Frank
> > > >
> > > > Do you mean that we should do `of_node_release` in
> > > > `platform_device_release`, instead of respecting the refcounting via
> > > > `of_node_put`?
> > >
> > > Sorry, I checked code again.
> > >
> > > static void i3c_masterdev_release(struct device *dev)
> > > {
> > > ...
> > > of_node_put(dev->of_node);
> > > }
> > >
> > > i3c_master_register()
> > > {
> > > ...
> > > master->dev.release = i3c_masterdev_release;
> > > ...
> > > };
> > >
> > > Suppose of_node_put() will be auto called when put_device(&master->dev);
> > >
> > > Do you really meet the problem or just static anaysis?
> > >
> > > Frank
> >
> > Honestly, it's from static analysis.
> >
> > My apologies for overlooking the release handle. I checked the code once
> > again. It still looks suspicious as it would not call `put_device` if it
> > fails. I also checked call sites related to `i3c_master_register` and
> > they dont seem to do the clean-up if register fails.
>
>
> @@ -2814,10 +2816,6 @@ int i3c_master_register(struct i3c_master_controller *master,
> INIT_LIST_HEAD(&master->boardinfo.i2c);
> INIT_LIST_HEAD(&master->boardinfo.i3c);
>
> - ret = i3c_bus_init(i3cbus, master->dev.of_node);
> - if (ret)
> - return ret;
> -
> device_initialize(&master->dev);
> dev_set_name(&master->dev, "i3c-%d", i3cbus->id);
>
> @@ -2825,6 +2823,10 @@ int i3c_master_register(struct i3c_master_controller *master,
> master->dev.coherent_dma_mask = parent->coherent_dma_mask;
> master->dev.dma_parms = parent->dma_parms;
>
> + ret = i3c_bus_init(i3cbus, master->dev.of_node);
> + if (ret)
> + goto err_put_dev;
> +
>
> I inject at error at i3c_bus_init(), above code can trigger i3c_masterdev_release,
> which call of_node_put().
>
> Frank
>
Thank you for fixing the refcounting issue. May I kindly ask for a
reported-by tag for this fix "Reported-by: Shuhao Fu <sfual@cse.ust.hk>"?
Thanks,
Shuhao
> >
> > Shuhao
> > > >
> > > > >
> > > > > >
> > > > > > device_initialize(&master->dev);
> > > > > > dev_set_name(&master->dev, "i3c-%d", i3cbus->id);
> > > > > > @@ -2973,6 +2973,9 @@ int i3c_master_register(struct i3c_master_controller *master,
> > > > > > err_put_dev:
> > > > > > put_device(&master->dev);
> > > > > >
> > > > > > +err_put_of_node:
> > > > > > + of_node_put(master->dev.of_node);
> > > > > > +
> > > > > > return ret;
> > > > > > }
> > > > > > EXPORT_SYMBOL_GPL(i3c_master_register);
> > > > > > --
> > > > > > 2.39.5 (Apple Git-154)
> > > > > >
> > > > > >
> > > > > > --
> > > > > > linux-i3c mailing list
> > > > > > linux-i3c@lists.infradead.org
> > > > > > https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Flinux-i3c&data=05%7C02%7Csfual%40connect.ust.hk%7Cdbe4f1ecc0c84f304fca08de0aa414ff%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C638959897018898845%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2BmCDBh4d6Se%2BuO5xJgSDVupMRir7ZFH7f8RtzGUucoE%3D&reserved=0
> > > >
> > > > --
> > > > linux-i3c mailing list
> > > > linux-i3c@lists.infradead.org
> > > > https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Flinux-i3c&data=05%7C02%7Csfual%40connect.ust.hk%7Cdbe4f1ecc0c84f304fca08de0aa414ff%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C638959897018922222%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=MdqJwKEKImd8UAQ0hyHjWyZx8vX1YSxU%2FqKDgpF0JPA%3D&reserved=0
--
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c
WARNING: multiple messages have this Message-ID (diff)
From: Shuhao Fu <sfual@cse.ust.hk>
To: Frank Li <Frank.li@nxp.com>
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>,
linux-i3c@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] i3c: fix refcount inconsistency in i3c_master_register
Date: Tue, 14 Oct 2025 09:55:26 +0800 [thread overview]
Message-ID: <aO2tjp_FsV_WohPG@osx.local> (raw)
In-Reply-To: <aO12r9v4xaJKHUQs@lizhi-Precision-Tower-5810>
On Mon, Oct 13, 2025 at 06:01:19PM -0400, Frank Li wrote:
> On Tue, Oct 14, 2025 at 05:09:53AM +0800, Shuhao Fu wrote:
> > On Mon, Oct 13, 2025 at 04:19:00PM -0400, Frank Li wrote:
> > > On Fri, Oct 10, 2025 at 02:34:08PM +0800, Shuhao Fu wrote:
> > > > On Thu, Oct 09, 2025 at 12:17:11PM -0400, Frank Li wrote:
> > > > > On Wed, Oct 08, 2025 at 03:27:09PM +0800, Shuhao Fu wrote:
> > > > > > In `i3c_master_register`, a possible refcount inconsistency has been
> > > > > > identified, causing possible resource leak.
> > > > > >
> > > > > > Function `of_node_get` increases the refcount of `parent->of_node`. If
> > > > > > function `i3c_bus_init` fails, the function returns immediately without
> > > > > > a corresponding decrease, resulting in an inconsistent refcounter.
> > > > > >
> > > > > > In this patch, an extra goto label is added to ensure the balance of
> > > > > > refcount when `i3c_bus_init` fails.
> > > > > >
> > > > > > Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
> > > > > > Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
> > > > > > ---
> > > > > > drivers/i3c/master.c | 5 ++++-
> > > > > > 1 file changed, 4 insertions(+), 1 deletion(-)
> > > > > >
> > > > > > diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> > > > > > index d946db75d..9f4fe98d2 100644
> > > > > > --- a/drivers/i3c/master.c
> > > > > > +++ b/drivers/i3c/master.c
> > > > > > @@ -2885,7 +2885,7 @@ int i3c_master_register(struct i3c_master_controller *master,
> > > > > >
> > > > > > ret = i3c_bus_init(i3cbus, master->dev.of_node);
> > > > > > if (ret)
> > > > > > - return ret;
> > > > > > + goto err_put_of_node;
> > > > >
> > > > > I think it'd better to set release function for master dev to release
> > > > > of_node because of_node_put() also missed at i3c_master_unregister()
> > > > >
> > > > > you can refer drivers/base/platform.c
> > > > >
> > > > > Frank
> > > >
> > > > Do you mean that we should do `of_node_release` in
> > > > `platform_device_release`, instead of respecting the refcounting via
> > > > `of_node_put`?
> > >
> > > Sorry, I checked code again.
> > >
> > > static void i3c_masterdev_release(struct device *dev)
> > > {
> > > ...
> > > of_node_put(dev->of_node);
> > > }
> > >
> > > i3c_master_register()
> > > {
> > > ...
> > > master->dev.release = i3c_masterdev_release;
> > > ...
> > > };
> > >
> > > Suppose of_node_put() will be auto called when put_device(&master->dev);
> > >
> > > Do you really meet the problem or just static anaysis?
> > >
> > > Frank
> >
> > Honestly, it's from static analysis.
> >
> > My apologies for overlooking the release handle. I checked the code once
> > again. It still looks suspicious as it would not call `put_device` if it
> > fails. I also checked call sites related to `i3c_master_register` and
> > they dont seem to do the clean-up if register fails.
>
>
> @@ -2814,10 +2816,6 @@ int i3c_master_register(struct i3c_master_controller *master,
> INIT_LIST_HEAD(&master->boardinfo.i2c);
> INIT_LIST_HEAD(&master->boardinfo.i3c);
>
> - ret = i3c_bus_init(i3cbus, master->dev.of_node);
> - if (ret)
> - return ret;
> -
> device_initialize(&master->dev);
> dev_set_name(&master->dev, "i3c-%d", i3cbus->id);
>
> @@ -2825,6 +2823,10 @@ int i3c_master_register(struct i3c_master_controller *master,
> master->dev.coherent_dma_mask = parent->coherent_dma_mask;
> master->dev.dma_parms = parent->dma_parms;
>
> + ret = i3c_bus_init(i3cbus, master->dev.of_node);
> + if (ret)
> + goto err_put_dev;
> +
>
> I inject at error at i3c_bus_init(), above code can trigger i3c_masterdev_release,
> which call of_node_put().
>
> Frank
>
Thank you for fixing the refcounting issue. May I kindly ask for a
reported-by tag for this fix "Reported-by: Shuhao Fu <sfual@cse.ust.hk>"?
Thanks,
Shuhao
> >
> > Shuhao
> > > >
> > > > >
> > > > > >
> > > > > > device_initialize(&master->dev);
> > > > > > dev_set_name(&master->dev, "i3c-%d", i3cbus->id);
> > > > > > @@ -2973,6 +2973,9 @@ int i3c_master_register(struct i3c_master_controller *master,
> > > > > > err_put_dev:
> > > > > > put_device(&master->dev);
> > > > > >
> > > > > > +err_put_of_node:
> > > > > > + of_node_put(master->dev.of_node);
> > > > > > +
> > > > > > return ret;
> > > > > > }
> > > > > > EXPORT_SYMBOL_GPL(i3c_master_register);
> > > > > > --
> > > > > > 2.39.5 (Apple Git-154)
> > > > > >
> > > > > >
> > > > > > --
> > > > > > linux-i3c mailing list
> > > > > > linux-i3c@lists.infradead.org
> > > > > > https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Flinux-i3c&data=05%7C02%7Csfual%40connect.ust.hk%7Cdbe4f1ecc0c84f304fca08de0aa414ff%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C638959897018898845%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2BmCDBh4d6Se%2BuO5xJgSDVupMRir7ZFH7f8RtzGUucoE%3D&reserved=0
> > > >
> > > > --
> > > > linux-i3c mailing list
> > > > linux-i3c@lists.infradead.org
> > > > https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.infradead.org%2Fmailman%2Flistinfo%2Flinux-i3c&data=05%7C02%7Csfual%40connect.ust.hk%7Cdbe4f1ecc0c84f304fca08de0aa414ff%7C6c1d415239d044ca88d9b8d6ddca0708%7C1%7C0%7C638959897018922222%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=MdqJwKEKImd8UAQ0hyHjWyZx8vX1YSxU%2FqKDgpF0JPA%3D&reserved=0
next prev parent reply other threads:[~2025-10-14 1:55 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-08 7:27 [PATCH] i3c: fix refcount inconsistency in i3c_master_register Shuhao Fu
2025-10-08 7:27 ` Shuhao Fu
2025-10-09 16:17 ` Frank Li
2025-10-09 16:17 ` Frank Li
2025-10-10 6:34 ` Shuhao Fu
2025-10-10 6:34 ` Shuhao Fu
2025-10-13 20:19 ` Frank Li
2025-10-13 20:19 ` Frank Li
2025-10-13 21:09 ` Shuhao Fu
2025-10-13 21:09 ` Shuhao Fu
2025-10-13 22:01 ` Frank Li
2025-10-13 22:01 ` Frank Li
2025-10-14 1:55 ` Shuhao Fu [this message]
2025-10-14 1:55 ` Shuhao Fu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aO2tjp_FsV_WohPG@osx.local \
--to=sfual@cse.ust.hk \
--cc=Frank.li@nxp.com \
--cc=alexandre.belloni@bootlin.com \
--cc=linux-i3c@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.