From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To: Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Xu Yang <xu.yang_2@nxp.com>,
linux-acpi@vger.kernel.org, driver-core@lists.linux.dev,
linux-kernel@vger.kernel.org
Cc: Daniel Scally <djrscally@gmail.com>,
Heikki Krogerus <heikki.krogerus@linux.intel.com>,
Sakari Ailus <sakari.ailus@linux.intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Danilo Krummrich <dakr@kernel.org>
Subject: [PATCH v4 0/3] device property: fix child iteration issues with secondary fwnodes
Date: Thu, 11 Jun 2026 22:31:05 +0200 [thread overview]
Message-ID: <20260611203537.1786399-1-andriy.shevchenko@linux.intel.com> (raw)
This series fixes two issues in the fwnode child iteration logic when
a secondary fwnode is present.
The first issue is a refcount imbalance in software_node_get_next_child().
When a software node is used as a secondary fwnode, the iteration code may
incorrectly decrement the refcount of child nodes that do not belong to the
software node hierarchy. This results in refcount underflow and possible
use-after-free.
The second issue is an infinite loop in fwnode_for_each_child_node(), caused
by improper handling of iteration state across primary and secondary fwnodes.
When iterating over children from both primary and secondary fwnodes, the code
may incorrectly resume iteration from the primary fwnode even when the current
child belongs to the secondary, leading to repeated traversal and a loop.
Both issues are triggered when mixing different fwnode types through the
secondary mechanism, and stem from incorrect assumptions about ownership
and traversal context of child nodes.
Changes in v4:
- amended the fix and test case (Andy)
- added patch 2 to align other implementations with RAII approach (Andy)
- tested on Intel Galileo board for which the initial code was developed (Andy)
- Link to v3: https://patch.msgid.link/20260605-fixes_fwnode_iteration-v3-0-44c18472e1d1@nxp.com
Changes in v3:
- remove software node patch
- add a kunit test case suggested by Andy Shevchenko
- Link to v2: https://patch.msgid.link/20260603-fixes_fwnode_iteration-v2-0-0ae381f8b7b9@nxp.com
Changes in v2:
- use __free() to cleanup parent fwnode
- Link to v1: https://lore.kernel.org/r/20260525-fixes_fwnode_iteration-v1-0-a12903fb2919@nxp.com
Andy Shevchenko (1):
device property: Refactor to use RAII approach
Xu Yang (2):
device property: fix infinite loop in fwnode_for_each_child_node()
device property: add test cases for fwnode_for_each_child_node()
drivers/base/property.c | 41 ++++---
drivers/base/test/Kconfig | 1 +
drivers/base/test/property-entry-test.c | 136 ++++++++++++++++++++++++
3 files changed, 161 insertions(+), 17 deletions(-)
--
2.50.1
next reply other threads:[~2026-06-11 20:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 20:31 Andy Shevchenko [this message]
2026-06-11 20:31 ` [PATCH v4 1/3] device property: fix infinite loop in fwnode_for_each_child_node() Andy Shevchenko
2026-06-12 6:47 ` Xu Yang
2026-06-11 20:31 ` [PATCH v4 2/3] device property: Refactor to use RAII approach Andy Shevchenko
2026-06-11 20:46 ` Rafael J. Wysocki
2026-06-11 21:12 ` Andy Shevchenko
2026-06-11 20:31 ` [PATCH v4 3/3] device property: add test cases for fwnode_for_each_child_node() Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611203537.1786399-1-andriy.shevchenko@linux.intel.com \
--to=andriy.shevchenko@linux.intel.com \
--cc=dakr@kernel.org \
--cc=djrscally@gmail.com \
--cc=driver-core@lists.linux.dev \
--cc=gregkh@linuxfoundation.org \
--cc=heikki.krogerus@linux.intel.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=sakari.ailus@linux.intel.com \
--cc=xu.yang_2@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox