From: Johan Hovold <johan@kernel.org>
To: "Yong Wu (吴勇)" <Yong.Wu@mediatek.com>
Cc: "joro@8bytes.org" <joro@8bytes.org>,
"will@kernel.org" <will@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"j@jannau.net" <j@jannau.net>,
"vdumpa@nvidia.com" <vdumpa@nvidia.com>,
"robin.murphy@arm.com" <robin.murphy@arm.com>,
"m.szyprowski@samsung.com" <m.szyprowski@samsung.com>,
"wens@csie.org" <wens@csie.org>,
"thierry.reding@gmail.com" <thierry.reding@gmail.com>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
"matthias.bgg@gmail.com" <matthias.bgg@gmail.com>,
"robin.clark@oss.qualcomm.com" <robin.clark@oss.qualcomm.com>,
"sven@kernel.org" <sven@kernel.org>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@collabora.com>
Subject: Re: [PATCH v2 06/14] iommu/mediatek: fix device leaks on probe()
Date: Mon, 20 Oct 2025 07:02:19 +0200 [thread overview]
Message-ID: <aPXCW43vFExjkVpq@hovoldconsulting.com> (raw)
In-Reply-To: <aeec9ee86b63ee892d84ab0232f372bdeccc780f.camel@mediatek.com>
On Sat, Oct 18, 2025 at 06:54:39AM +0000, Yong Wu (吴勇) wrote:
> On Tue, 2025-10-07 at 11:43 +0200, Johan Hovold wrote:
> > Make sure to drop the references taken to the larb devices during
> > probe on probe failure (e.g. probe deferral) and on driver unbind.
> >
> > Note that commit 26593928564c ("iommu/mediatek: Add error path for
> > loop
> > of mm_dts_parse") fixed the leaks in a couple of error paths, but the
> > references are still leaking on success and late failures.
> > @@ -1216,13 +1216,17 @@ static int mtk_iommu_mm_dts_parse(struct
> > device *dev, struct component_match **m
> > platform_device_put(plarbdev);
> > }
> >
> > - if (!frst_avail_smicomm_node)
> > - return -EINVAL;
> > + if (!frst_avail_smicomm_node) {
> > + ret = -EINVAL;
> > + goto err_larbdev_put;
>
> There already is a "platform_device_put(plarbdev);" at the end of "for"
> loop, then no need put_device for it outside the "for" loop or outside
> this function?
You're right, thanks for catching that.
But this means that we have an existing potential use-after-free as if,
for example, the driver probe defers we would put the reference to any
previously looked up larbs twice.
I've just sent a v3 which fixes this by dropping the
platform_device_put() after successful lookup as it is expected that the
driver keeps the references while it uses the larb devices:
https://lore.kernel.org/lkml/20251020045318.30690-1-johan@kernel.org/
Johan
next prev parent reply other threads:[~2025-10-20 5:02 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-07 9:43 [PATCH v2 00/14] iommu: fix device leaks Johan Hovold
2025-10-07 9:43 ` [PATCH v2 01/14] iommu/apple-dart: fix device leak on of_xlate() Johan Hovold
2025-10-07 9:43 ` [PATCH v2 02/14] iommu/qcom: " Johan Hovold
2025-10-07 9:43 ` [PATCH v2 03/14] iommu/exynos: " Johan Hovold
2025-10-07 9:49 ` Marek Szyprowski
2025-10-07 9:43 ` [PATCH v2 04/14] iommu/ipmmu-vmsa: " Johan Hovold
2025-10-07 9:43 ` [PATCH v2 05/14] iommu/mediatek: " Johan Hovold
2025-10-18 6:50 ` Yong Wu (吴勇)
2025-10-07 9:43 ` [PATCH v2 06/14] iommu/mediatek: fix device leaks on probe() Johan Hovold
2025-10-18 6:54 ` Yong Wu (吴勇)
2025-10-20 5:02 ` Johan Hovold [this message]
2025-10-07 9:43 ` [PATCH v2 07/14] iommu/mediatek: simplify dt parsing error handling Johan Hovold
2025-10-07 9:43 ` [PATCH v2 08/14] iommu/mediatek-v1: fix device leak on probe_device() Johan Hovold
2025-10-18 6:51 ` Yong Wu (吴勇)
2025-10-07 9:43 ` [PATCH v2 09/14] iommu/mediatek-v1: fix device leaks on probe() Johan Hovold
2025-10-07 9:43 ` [PATCH v2 10/14] iommu/mediatek-v1: add missing larb count sanity check Johan Hovold
2025-10-18 6:51 ` Yong Wu (吴勇)
2025-10-07 9:43 ` [PATCH v2 11/14] iommu/omap: fix device leaks on probe_device() Johan Hovold
2025-10-07 9:43 ` [PATCH v2 12/14] iommu/omap: simplify probe_device() error handling Johan Hovold
2025-10-07 9:43 ` [PATCH v2 13/14] iommu/sun50i: fix device leak on of_xlate() Johan Hovold
2025-10-07 9:43 ` [PATCH v2 14/14] iommu/tegra: fix device leak on probe_device() Johan Hovold
2025-10-09 7:56 ` Thierry Reding
2025-10-09 8:27 ` Johan Hovold
2025-10-09 10:15 ` Thierry Reding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPXCW43vFExjkVpq@hovoldconsulting.com \
--to=johan@kernel.org \
--cc=Yong.Wu@mediatek.com \
--cc=angelogioacchino.delregno@collabora.com \
--cc=iommu@lists.linux.dev \
--cc=j@jannau.net \
--cc=joro@8bytes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=matthias.bgg@gmail.com \
--cc=robin.clark@oss.qualcomm.com \
--cc=robin.murphy@arm.com \
--cc=stable@vger.kernel.org \
--cc=sven@kernel.org \
--cc=thierry.reding@gmail.com \
--cc=vdumpa@nvidia.com \
--cc=wens@csie.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.