From: Liang He <windhl@126.com>
To: agross@kernel.org, bjorn.andersson@linaro.org,
konrad.dybcio@somainline.org, linux-arm-msm@vger.kernel.org,
windhl@126.com
Subject: [PATCH 2/2] soc: qcom: smem_state: Add refcounting for the 'state->of_node'
Date: Thu, 21 Jul 2022 21:52:17 +0800 [thread overview]
Message-ID: <20220721135217.1301039-2-windhl@126.com> (raw)
In-Reply-To: <20220721135217.1301039-1-windhl@126.com>
In qcom_smem_state_register() and qcom_smem_state_release(), we
should better use of_node_get() and of_node_put() for the reference
creation and destruction of 'device_node'.
Fixes: 9460ae2ff308 ("soc: qcom: Introduce common SMEM state machine code")
Signed-off-by: Liang He <windhl@126.com>
---
I have learned that the 'state->of_node' is used to match client
lookups. But I do not know if there will be a premature free or UAF
if we do not refcount this new reference created in to 'state->of_node'.
Please check it carefully.
drivers/soc/qcom/smem_state.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/smem_state.c b/drivers/soc/qcom/smem_state.c
index 31faf4aa868e..e848cc9a3cf8 100644
--- a/drivers/soc/qcom/smem_state.c
+++ b/drivers/soc/qcom/smem_state.c
@@ -136,6 +136,7 @@ static void qcom_smem_state_release(struct kref *ref)
struct qcom_smem_state *state = container_of(ref, struct qcom_smem_state, refcount);
list_del(&state->list);
+ of_node_put(state->of_node);
kfree(state);
}
@@ -205,7 +206,7 @@ struct qcom_smem_state *qcom_smem_state_register(struct device_node *of_node,
kref_init(&state->refcount);
- state->of_node = of_node;
+ state->of_node = of_node_get(of_node);
state->ops = *ops;
state->priv = priv;
--
2.25.1
prev parent reply other threads:[~2022-07-21 13:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-21 13:52 [PATCH 1/2] soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() Liang He
2022-07-21 13:52 ` Liang He [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220721135217.1301039-2-windhl@126.com \
--to=windhl@126.com \
--cc=agross@kernel.org \
--cc=bjorn.andersson@linaro.org \
--cc=konrad.dybcio@somainline.org \
--cc=linux-arm-msm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox