Re: [PATCH 14/23] pmdomain: imx: use platform_device_set_of_node()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] OF node reference underflow leading to double-free and use-after-free in gpcv2 driver.
--

commit bd67fa18bf0839e7723c9cc2462ace1f391ce4b1
Author: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>

pmdomain: imx: use platform_device_set_of_node()

Ahead of reworking the reference counting logic for platform devices,
encapsulate the assignment of the OF node for dynamically allocated
platform devices with the provided helper.

> diff --git a/drivers/pmdomain/imx/gpc.c b/drivers/pmdomain/imx/gpc.c
> index 42e50c9b4fb9f..abca5f449a226 100644
> --- a/drivers/pmdomain/imx/gpc.c
> +++ b/drivers/pmdomain/imx/gpc.c
> @@ -487,8 +487,7 @@ static int imx_gpc_probe(struct platform_device *pdev)
>  			domain->ipg_rate_mhz = ipg_rate_mhz;
>  
>  			pd_pdev->dev.parent = &pdev->dev;
> -			pd_pdev->dev.of_node = of_node_get(np);
> -			pd_pdev->dev.fwnode = of_fwnode_handle(np);
> +			platform_device_set_of_node(pd_pdev, np);

[Severity: High]
This isn't a bug introduced by this patch, but does the same fix need to be
applied to drivers/pmdomain/imx/gpcv2.c?

In imx_gpcv2_probe(), the scoped iterator for_each_child_of_node_scoped()
drops the reference on np when the loop iteration ends. However, the child
platform device's node is assigned using device_set_node(), which does not
increment the OF node's reference count:

drivers/pmdomain/imx/gpcv2.c:imx_gpcv2_probe()
    ...
    for_each_child_of_node_scoped(pgc_np, np) {
        ...
        pd_pdev->dev.parent = dev;
        device_set_node(&pd_pdev->dev, of_fwnode_handle(np));
        
        ret = platform_device_add(pd_pdev);
        if (ret) {
            platform_device_put(pd_pdev);
            ...
    }

When the platform device is eventually unregistered, or freed on the error
path via platform_device_put(), platform_device_release() will invoke
of_node_put() (or fwnode_handle_put() after the refcounting rework). This
results in a double-free of the OF node, since the initial reference was
never taken.

Should platform_device_set_of_node() also be used in gpcv2.c to properly
handle these reference counts?

>  
>  			ret = platform_device_add(pd_pdev);
>  			if (ret) {

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260521-pdev-fwnode-ref-v1-0-88c324a1b8d2@oss.qualcomm.com?part=14