From: sashiko-bot@kernel.org
To: "Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org,
imx@lists.linux.dev, Frank.Li@kernel.org, robh@kernel.org
Subject: Re: [PATCH 23/23] driver core: platform: count references to all kinds of firmware nodes
Date: Sat, 30 May 2026 00:45:47 +0000 [thread overview]
Message-ID: <20260530004547.E91B81F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260521-pdev-fwnode-ref-v1-23-88c324a1b8d2@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Unconditionally putting `dev->fwnode` in `platform_device_release()` causes refcount underflows and use-after-free bugs for dynamically allocated fwnodes manually assigned by drivers.
- [Medium] The firmware node reference acquired during `platform_device_register_full()` is leaked on the error path because `ACPI_COMPANION_SET()` clears the `fwnode` pointer before it can be released.
--
commit e4918f4a259d02413dc609fd6279d8c955cad207
Author: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
driver core: platform: count references to all kinds of firmware nodes
This commit switches the platform device core to manage references for
all firmware nodes uniformly, rather than just OF nodes. It updates
platform_device_release() and assignment functions to use fwnode APIs.
> diff --git a/drivers/base/platform.c b/drivers/base/platform.c
> --- a/drivers/base/platform.c
> +++ b/drivers/base/platform.c
> @@ -599,7 +599,7 @@ static void platform_device_release(struct device *dev)
> struct platform_object *pa = container_of(dev, struct platform_object,
> pdev.dev);
>
> - of_node_put(pa->pdev.dev.of_node);
> + fwnode_handle_put(pa->pdev.dev.fwnode);
[Severity: High]
If drivers manually assign their parent's fwnode during probe without
incrementing the reference count, will this regression cause a reference
count underflow?
For instance, some drivers assign the fwnode directly:
device_set_node(&pdev->dev, dev_fwnode(pdev->dev.parent));
Previously, of_node_put() was a safe no-op for non-OF nodes like software
nodes. Now, platform_device_release() unconditionally calls
fwnode_handle_put().
If the parent's fwnode is a dynamically allocated software node,
software_node_put() will be invoked without a corresponding
software_node_get().
Could this prematurely free the node and lead to a use-after-free for the
parent and other devices sharing it?
[ ... ]
> @@ -921,8 +918,8 @@ struct platform_device *platform_device_register_full(const struct platform_devi
> return ERR_PTR(-ENOMEM);
>
> pdev->dev.parent = pdevinfo->parent;
> - pdev->dev.fwnode = pdevinfo->fwnode;
> - pdev->dev.of_node = of_node_get(to_of_node(pdev->dev.fwnode));
> + pdev->dev.fwnode = fwnode_handle_get(pdevinfo->fwnode);
> + pdev->dev.of_node = to_of_node(pdev->dev.fwnode);
> dev_assign_of_node_reused(&pdev->dev, pdevinfo->of_node_reused);
>
> if (pdevinfo->dma_mask) {
[Severity: Medium]
Does this code leak the firmware node reference if an error occurs later in
this function?
If platform_device_add() fails, the error path executes:
err:
ACPI_COMPANION_SET(&pdev->dev, NULL);
platform_device_put(pdev);
The ACPI_COMPANION_SET() macro expands to set_primary_fwnode() and clears
pdev->dev.fwnode.
When platform_device_put() eventually calls platform_device_release(), the
fwnode pointer is already NULL.
Since fwnode_handle_put() acts as a no-op on a NULL pointer, will the
reference acquired here by fwnode_handle_get() be left unbalanced?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260521-pdev-fwnode-ref-v1-0-88c324a1b8d2@oss.qualcomm.com?part=23
next prev parent reply other threads:[~2026-05-30 0:45 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 8:36 [PATCH 00/23] driver core: count references of the platform device's fwnode, not OF node Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 01/23] mfd: tps6586x: fix OF node refcount Bartosz Golaszewski
2026-05-27 15:36 ` (subset) " Lee Jones
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 02/23] net: mv643xx: " Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 03/23] slimbus: qcom-ngd-ctrl: " Bartosz Golaszewski
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 04/23] pmdomain: imx: " Bartosz Golaszewski
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 05/23] powerpc/powermac: " Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 06/23] driver core: platform: provide platform_device_set_of_node() Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 07/23] driver core: platform: provide platform_device_set_fwnode() Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 08/23] driver core: platform: provide platform_device_set_of_node_from_dev() Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 09/23] of: platform: use platform_device_set_of_node() Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 10/23] powerpc/powermac: " Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 11/23] i2c: pxa-pci: " Bartosz Golaszewski
2026-05-21 9:13 ` Wolfram Sang
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 12/23] iommu/fsl: " Bartosz Golaszewski
2026-05-21 9:44 ` Robin Murphy
2026-05-21 8:36 ` [PATCH 13/23] net: bcmgenet: " Bartosz Golaszewski
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 14/23] pmdomain: imx: " Bartosz Golaszewski
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 15/23] mfd: tps6586: " Bartosz Golaszewski
2026-05-27 15:31 ` Lee Jones
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 16/23] slimbus: qcom-ngd-ctrl: " Bartosz Golaszewski
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 17/23] net: mv643xx: " Bartosz Golaszewski
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 18/23] drm/xe/i2c: use platform_device_set_fwnode() Bartosz Golaszewski
2026-05-30 0:45 ` sashiko-bot
2026-05-21 8:36 ` [PATCH 19/23] platform/surface: gpe: " Bartosz Golaszewski
2026-05-28 11:21 ` Ilpo Järvinen
2026-05-21 8:36 ` [PATCH 20/23] usb: chipidea: use platform_device_set_of_node_from_dev() Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 21/23] usb: musb: " Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 22/23] reset: rzg2l: " Bartosz Golaszewski
2026-05-21 8:36 ` [PATCH 23/23] driver core: platform: count references to all kinds of firmware nodes Bartosz Golaszewski
2026-05-30 0:45 ` sashiko-bot [this message]
2026-05-29 12:55 ` (subset) [PATCH 00/23] driver core: count references of the platform device's fwnode, not OF node Srinivas Kandagatla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260530004547.E91B81F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=imx@lists.linux.dev \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox