From: sashiko-bot@kernel.org
To: "Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>
Cc: Frank.Li@kernel.org, devicetree@vger.kernel.org, robh@kernel.org,
conor+dt@kernel.org, dri-devel@lists.freedesktop.org,
imx@lists.linux.dev
Subject: Re: [PATCH v2 19/19] driver core: platform: count references to all kinds of firmware nodes
Date: Tue, 30 Jun 2026 09:18:42 +0000 [thread overview]
Message-ID: <20260630091842.BCE2F1F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260629-pdev-fwnode-ref-v2-19-8abe2513f96e@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Memory leak of `of_node` references in platform device release
- [High] Refcount underflow and use-after-free of software nodes on platform device release
--
commit f2aa250a52f31d368fee3251e58597913170101a
Author: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
driver core: platform: count references to all kinds of firmware nodes
This patch switches to counting references for all kinds of firmware nodes by
replacing the of_node_put with fwnode_handle_put in platform device release.
It also updates platform device setup helpers to properly acquire fwnode
references.
> diff --git a/drivers/base/platform.c b/drivers/base/platform.c
> index f24a5f406746b..bb5f5bddd047d 100644
> --- a/drivers/base/platform.c
> +++ b/drivers/base/platform.c
> @@ -599,7 +599,7 @@ static void platform_device_release(struct device *dev)
> struct platform_object *pa = container_of(dev, struct platform_object,
> pdev.dev);
>
> - of_node_put(pa->pdev.dev.of_node);
> + fwnode_handle_put(pa->pdev.dev.fwnode);
[Severity: High]
Does replacing of_node_put() here cause a memory leak of of_node references?
Many drivers and core APIs manually acquire an of_node reference and assign
it directly to pdev->dev.of_node without setting pdev->dev.fwnode. For
example, in drivers/base/core.c:device_set_of_node_from_dev():
of_node_put(dev->of_node);
dev->of_node = of_node_get(dev2->of_node);
When a platform device set up this way is released, fwnode_handle_put() will
operate on a NULL or unrelated fwnode, failing to drop the of_node reference.
[Severity: High]
Can this fwnode_handle_put() cause a refcount underflow for software nodes?
Platform drivers often inherit their parent's fwnode without taking an
additional reference. For example, in drivers/gpio/gpio-arizona.c:
device_set_node(&pdev->dev, dev_fwnode(pdev->dev.parent));
Before this patch, calling of_node_put(dev->of_node) on a software node was
a safe no-op (as of_node was NULL). Unconditionally calling
fwnode_handle_put() here will now invoke software_node_put() and decrement
the unacquired reference, potentially leading to a use-after-free when the
device is unregistered.
> kfree(pa->pdev.dev.platform_data);
> kfree(pa->pdev.mfd_cell);
> kfree(pa->pdev.resource);
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629-pdev-fwnode-ref-v2-0-8abe2513f96e@oss.qualcomm.com?part=19
next prev parent reply other threads:[~2026-06-30 9:18 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 9:12 [PATCH v2 00/19] driver core: count references of the platform device's fwnode, not OF node Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 01/19] powerpc/powermac: fix OF node refcount Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 02/19] driver core: platform: provide platform_device_set_of_node() Bartosz Golaszewski
2026-06-30 9:18 ` sashiko-bot
2026-06-30 11:37 ` Manuel Ebner
2026-06-30 13:22 ` Bartosz Golaszewski
2026-07-01 15:05 ` Manuel Ebner
2026-06-29 9:12 ` [PATCH v2 03/19] driver core: platform: provide platform_device_set_fwnode() Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 04/19] driver core: platform: provide platform_device_set_of_node_from_dev() Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 05/19] of: platform: use platform_device_set_of_node() Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 06/19] powerpc/powermac: " Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 07/19] i2c: pxa-pci: " Bartosz Golaszewski
2026-06-30 9:18 ` sashiko-bot
2026-06-29 9:12 ` [PATCH v2 08/19] iommu/fsl: " Bartosz Golaszewski
2026-06-29 14:08 ` Frank Li
2026-06-29 9:12 ` [PATCH v2 09/19] net: bcmgenet: " Bartosz Golaszewski
2026-06-29 23:15 ` Jakub Kicinski
2026-06-30 9:18 ` sashiko-bot
2026-06-29 9:12 ` [PATCH v2 10/19] pmdomain: imx: " Bartosz Golaszewski
2026-06-30 9:18 ` sashiko-bot
2026-06-30 15:27 ` Frank Li
2026-06-29 9:12 ` [PATCH v2 11/19] mfd: tps6586: " Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 12/19] slimbus: qcom-ngd-ctrl: " Bartosz Golaszewski
2026-06-29 9:25 ` Konrad Dybcio
2026-06-29 9:12 ` [PATCH v2 13/19] net: mv643xx: " Bartosz Golaszewski
2026-06-29 23:16 ` Jakub Kicinski
2026-06-29 9:12 ` [PATCH v2 14/19] drm/xe/i2c: use platform_device_set_fwnode() Bartosz Golaszewski
2026-06-30 9:18 ` sashiko-bot
2026-06-29 9:12 ` [PATCH v2 15/19] platform/surface: gpe: " Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 16/19] usb: chipidea: use platform_device_set_of_node_from_dev() Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 17/19] usb: musb: " Bartosz Golaszewski
2026-06-30 9:18 ` sashiko-bot
2026-06-29 9:12 ` [PATCH v2 18/19] reset: rzg2l: " Bartosz Golaszewski
2026-06-29 9:12 ` [PATCH v2 19/19] driver core: platform: count references to all kinds of firmware nodes Bartosz Golaszewski
2026-06-29 16:21 ` Andy Shevchenko
2026-06-30 9:18 ` sashiko-bot [this message]
2026-06-29 16:23 ` [PATCH v2 00/19] driver core: count references of the platform device's fwnode, not OF node Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630091842.BCE2F1F00A3D@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=imx@lists.linux.dev \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox