From: sashiko-bot@kernel.org
To: "Weigang He" <geoffreyhe2@gmail.com>
Cc: imx@lists.linux.dev, Frank.Li@kernel.org
Subject: Re: [PATCH 1/2] ARM: imx: fix device_node refcount leak in imx_src_init()
Date: Wed, 10 Jun 2026 05:16:03 +0000 [thread overview]
Message-ID: <20260610051604.43B001F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610050625.2229221-2-geoffreyhe2@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] This problem wasn't introduced by this patch, but the `imx_src_probe()` platform driver blindly registers the reset controller without verifying if the global `src_base` pointer was successfully initialized.
--
commit 3a8b3e9f6b1a902d26351b0e93daa81ca748d342
Author: Weigang He <geoffreyhe2@gmail.com>
ARM: imx: fix device_node refcount leak in imx_src_init()
imx_src_init() obtains a device_node reference via
of_find_compatible_node() matching "fsl,imx51-src" and uses it only to
call of_iomap(). It never releases that reference: on the success path
the function returns at the end without of_node_put(np), leaking one
device_node refcount on every boot of an i.MX5/6 platform.
> diff --git a/arch/arm/mach-imx/src.c b/arch/arm/mach-imx/src.c
> index 59a8e8cc44693..f28bfb653a88f 100644
> --- a/arch/arm/mach-imx/src.c
> +++ b/arch/arm/mach-imx/src.c
> @@ -171,6 +171,7 @@ void __init imx_src_init(void)
> if (!np)
> return;
> src_base = of_iomap(np, 0);
> + of_node_put(np);
> WARN_ON(!src_base);
[Severity: High]
This isn't a bug introduced by this patch, but the imx_src_probe() platform
driver blindly registers the reset controller without verifying if the global
src_base pointer was successfully initialized.
On platforms like i.MX50, the early boot initialization function
imx_src_init() is never called, leaving src_base statically uninitialized
(NULL).
Despite src_base being NULL, the i.MX50 device tree contains the
"fsl,imx51-src" compatible string, which causes imx_src_probe() to execute
and register the reset controller:
arch/arm/mach-imx/src.c:imx_src_probe() {
...
rcdev->ops = &imx_src_ops;
rcdev->dev = &pdev->dev;
rcdev->of_node = pdev->dev.of_node;
rcdev->nr_resets = ARRAY_SIZE(sw_reset_bits);
return devm_reset_controller_register(&pdev->dev, rcdev);
}
Any subsequent consumer request for a reset via the API will trigger a
structurally guaranteed kernel panic on a NULL pointer dereference because
imx_src_reset_module() unconditionally dereferences src_base.
Should the probe function verify if (!src_base) before registering the
controller to avoid exposing a fatally broken API?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260610050625.2229221-1-geoffreyhe2@gmail.com?part=1
next prev parent reply other threads:[~2026-06-10 5:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 5:06 [PATCH 0/2] ARM: imx: fix device_node refcount leaks in src.c Weigang He
2026-06-10 5:06 ` [PATCH 1/2] ARM: imx: fix device_node refcount leak in imx_src_init() Weigang He
2026-06-10 5:16 ` sashiko-bot [this message]
2026-06-10 5:06 ` [PATCH 2/2] ARM: imx: fix device_node refcount leaks in imx7_src_init() Weigang He
2026-06-10 5:13 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610051604.43B001F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=geoffreyhe2@gmail.com \
--cc=imx@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox