From: sashiko-bot@kernel.org
To: "Chen-Yu Tsai" <wenst@chromium.org>
Cc: robh@kernel.org, devicetree@vger.kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v3 02/13] device property: Add fwnode_graph_get_next_port_endpoint()
Date: Fri, 03 Jul 2026 11:17:51 +0000 [thread overview]
Message-ID: <20260703111751.EAB3F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260703110317.1283411-3-wenst@chromium.org>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] fwnode_graph_get_next_port_endpoint() breaks graph abstraction by hardcoding name matching, which fails for ACPI nodes.
Pre-existing issues:
- [High] Preexisting bug in fwnode_get_next_child_node() causing Use-After-Free and infinite loops when crossing from primary to secondary fwnodes.
--
commit 94e97ca138e57ff4e7c6032a05de92b5aec2bd3d
Author: Chen-Yu Tsai <wenst@chromium.org>
device property: Add fwnode_graph_get_next_port_endpoint()
This introduces a helper function to get the endpoint under a known port
firmware node. It is intended to be used in USB power sequencing to check
whether a graph connection exists and if the other side is a supported
connector type.
diff --git a/drivers/base/property.c b/drivers/base/property.c
index c5e7e00f1b0cd..7f1fff3b55c74 100644
--- a/drivers/base/property.c
+++ b/drivers/base/property.c
[ ... ]
@@ -1099,6 +1099,31 @@ int fwnode_irq_get_byname(const struct fwnode_handle *fwnode, const char *name)
}
EXPORT_SYMBOL(fwnode_irq_get_byname);
> +/**
> + * fwnode_graph_get_next_port_endpoint - Get next endpoint firmware node in port
> + * @port: Pointer to the target port firmware node
> + * @prev: Previous endpoint node or %NULL to get the first
> + *
> + * The caller is responsible for calling fwnode_handle_put() on the returned
> + * fwnode pointer. Note that this function also puts a reference to @prev
> + * unconditionally.
> + *
> + * Return: an endpoint firmware node pointer or %NULL if no more endpoints
> + * are available.
> + */
> +struct fwnode_handle *fwnode_graph_get_next_port_endpoint(const struct fwnode_handle *port,
> + struct fwnode_handle *prev)
> +{
> + do {
> + prev = fwnode_get_next_child_node(port, prev);
[Severity: High]
This is a pre-existing issue, but does calling fwnode_get_next_child_node()
here expose a use-after-free and infinite loop when the parent has both
primary and secondary fwnodes?
When the primary iterator completes, it drops its reference to the child
node and returns NULL. The fwnode_get_next_child_node() function then passes
this already freed primary child directly to the secondary iterator:
drivers/base/property.c:fwnode_get_next_child_node() {
...
next = fwnode_call_ptr_op(fwnode, get_next_child_node, child);
if (next)
return next;
/* When no more children in primary, continue with secondary */
return fwnode_call_ptr_op(fwnode->secondary, get_next_child_node, child);
}
Would the secondary iterator drop the reference again and cause a double
free?
Could this also create an infinite loop where the secondary iterator treats
the invalid node as missing, returns its first child, and passes it back to
the primary iterator on the next loop iteration?
> + if (fwnode_name_eq(prev, "endpoint"))
[Severity: High]
Does this hardcoded string match cause a regression for ACPI-based devices
relying on this API?
ACPI graph endpoint nodes are natively identified by the endpoint property,
and their names often do not directly match "endpoint" (as seen in
is_acpi_graph_node).
By bypassing the graph fwnode abstractions like graph_get_next_endpoint,
will this silently fail to find graph endpoints on ACPI platforms?
> + break;
> + } while (prev);
> +
> + return prev;
> +}
> +EXPORT_SYMBOL_GPL(fwnode_graph_get_next_port_endpoint);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260703110317.1283411-1-wenst@chromium.org?part=2
next prev parent reply other threads:[~2026-07-03 11:17 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 11:03 [PATCH v3 00/13] arm64: mediatek: Add M.2 E-key slot on Chromebooks Chen-Yu Tsai
2026-07-03 11:03 ` [PATCH v3 01/13] device property: Add fwnode_graph_get_port_by_id() Chen-Yu Tsai
2026-07-03 11:15 ` sashiko-bot
2026-07-03 11:03 ` [PATCH v3 02/13] device property: Add fwnode_graph_get_next_port_endpoint() Chen-Yu Tsai
2026-07-03 11:17 ` sashiko-bot [this message]
2026-07-03 12:04 ` Bartosz Golaszewski
2026-07-03 12:46 ` Andy Shevchenko
2026-07-03 11:03 ` [PATCH v3 03/13] power: sequencing: Add pwrseq_power_is_on() Chen-Yu Tsai
2026-07-03 11:16 ` sashiko-bot
2026-07-03 12:07 ` Bartosz Golaszewski
2026-07-03 12:17 ` Chen-Yu Tsai
2026-07-03 13:18 ` Bartosz Golaszewski
2026-07-03 11:03 ` [PATCH v3 04/13] usb: hub: Return actual error from hub_configure() in hub_probe() Chen-Yu Tsai
2026-07-03 11:03 ` [PATCH v3 05/13] usb: hub: Associate port@ fwnode with USB port device Chen-Yu Tsai
2026-07-03 11:18 ` sashiko-bot
2026-07-03 12:09 ` Bartosz Golaszewski
2026-07-03 13:01 ` Andy Shevchenko
2026-07-03 13:25 ` Chen-Yu Tsai
2026-07-03 13:34 ` Andy Shevchenko
2026-07-03 11:03 ` [PATCH v3 06/13] usb: hub: Pass |struct usb_port*| to usb_port_is_power_on() Chen-Yu Tsai
2026-07-03 13:11 ` Andy Shevchenko
2026-07-03 13:17 ` Chen-Yu Tsai
2026-07-03 13:33 ` Andy Shevchenko
2026-07-03 11:03 ` [PATCH v3 07/13] usb: hub: Use usb_hub_set_port_power() to control port power everywhere Chen-Yu Tsai
2026-07-03 12:12 ` Bartosz Golaszewski
2026-07-03 11:03 ` [PATCH v3 08/13] usb: hub: Power on connected M.2 E-key connectors with power sequencing API Chen-Yu Tsai
2026-07-03 11:29 ` sashiko-bot
2026-07-03 12:41 ` Bartosz Golaszewski
2026-07-03 12:58 ` Chen-Yu Tsai
2026-07-03 13:16 ` Bartosz Golaszewski
2026-07-03 13:20 ` Chen-Yu Tsai
2026-07-03 13:19 ` Andy Shevchenko
2026-07-03 11:03 ` [PATCH v3 09/13] dt-bindings: usb: mediatek,mtk-xhci: Switch to ports for USB connections Chen-Yu Tsai
2026-07-05 9:43 ` Krzysztof Kozlowski
2026-07-03 11:03 ` [PATCH v3 10/13] power: sequencing: pcie-m2: support matching on remote "port" node Chen-Yu Tsai
2026-07-03 12:57 ` Andy Shevchenko
2026-07-03 11:03 ` [PATCH v3 11/13] power: sequencing: pcie-m2: Add usb and sdio targets for E-key connector Chen-Yu Tsai
2026-07-03 11:03 ` [PATCH v3 12/13] arm64: dts: mediatek: mt8195-cherry: Add M.2 E-key slot Chen-Yu Tsai
2026-07-03 11:03 ` [PATCH v3 13/13] arm64: dts: mediatek: mt8188-geralt: Add WiFi/BT as " Chen-Yu Tsai
2026-07-03 13:19 ` [PATCH v3 00/13] arm64: mediatek: Add M.2 E-key slot on Chromebooks Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703111751.EAB3F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=wenst@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox