Linux GPIO subsystem development
 help / color / mirror / Atom feed
From: Herve Codina <herve.codina@bootlin.com>
To: Richard Cheng <icheng@nvidia.com>
Cc: Andrew Lunn <andrew@lunn.ch>, Rob Herring <robh@kernel.org>,
	Saravana Kannan <saravanak@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	"Rafael J. Wysocki" <rafael@kernel.org>,
	Danilo Krummrich <dakr@kernel.org>,
	Bjorn Helgaas <bhelgaas@google.com>,
	David Rhodes <david.rhodes@cirrus.com>,
	Richard Fitzgerald <rf@opensource.cirrus.com>,
	Charles Keepax <ckeepax@opensource.cirrus.com>,
	Linus Walleij <linusw@kernel.org>, Len Brown <lenb@kernel.org>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	Daniel Scally <djrscally@gmail.com>,
	Heikki Krogerus <heikki.krogerus@linux.intel.com>,
	Sakari Ailus <sakari.ailus@linux.intel.com>,
	Davidlohr Bueso <dave@stgolabs.net>,
	Jonathan Cameron <jic23@kernel.org>,
	Dave Jiang <dave.jiang@intel.com>,
	Alison Schofield <alison.schofield@intel.com>,
	Vishal Verma <vishal.l.verma@intel.com>,
	Dan Williams <djbw@kernel.org>, Ira Weiny <iweiny@kernel.org>,
	Li Ming <ming.li@zohomail.com>, Lizhi Hou <lizhi.hou@amd.com>,
	driver-core@lists.linux.dev, linux-kernel@vger.kernel.org,
	linux-pci@vger.kernel.org, linux-sound@vger.kernel.org,
	patches@opensource.cirrus.com, linux-gpio@vger.kernel.org,
	linux-acpi@vger.kernel.org, linux-cxl@vger.kernel.org,
	Allan Nielsen <allan.nielsen@microchip.com>,
	Horatiu Vultur <horatiu.vultur@microchip.com>,
	Daniel Machon <daniel.machon@microchip.com>,
	Steen Hegelund <steen.hegelund@microchip.com>,
	Luca Ceresoli <luca.ceresoli@bootlin.com>,
	Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
	stable@vger.kernel.org
Subject: Re: [PATCH v8 7/8] PCI: of: Set fwnode device of newly created PCI device nodes
Date: Thu, 2 Jul 2026 13:23:48 +0200	[thread overview]
Message-ID: <20260702132348.034264b6@bootlin.com> (raw)
In-Reply-To: <akXg4G4ksietvkwE@MWDK4CY14F>

Hi Richard,

On Thu, 2 Jul 2026 12:02:35 +0800
Richard Cheng <icheng@nvidia.com> wrote:

> > @@ -709,6 +709,13 @@ void of_pci_make_dev_node(struct pci_dev *pdev)
> >  	if (ret)
> >  		goto out_free_node;
> >  
> > +	/*
> > +	 * Set the fwnode device in order to have fw_devlink creating links
> > +	 * pointing to this PCI device instead of walking up to the PCI host
> > +	 * bridge.
> > +	 */
> > +	fw_devlink_set_device(&np->fwnode, &pdev->dev);
> > +
> >  	ret = of_changeset_apply(cset);
> >  	if (ret)
> >  		goto out_free_node;
> > -- 
> > 2.54.0
> > 
> >  
> 
> Hi Herve,
> 
> I wonder if this part has some issue, it sets np->fwnode.dev = &pdev->dev,
> but I don't see am matching clear on removal path, I doubt the back-pointer
> can outlive the pci_dev.
> 
> device_del() do the check
> """
> if (dev->fwnode && dev->fwnode->dev == dev)
>     fw_devlink_set_device(dev->fwnode, NULL);
> """
> 
> On removal, pci_stop_dev() calls of_pci_remove_node() before pci_destroy_dev()
> calls device_del(), and of_pci_remove_node() -> device_remove_of_node() has already NULLed pdev->dev.fwnode by then, so the "dev->fwnode" guard is false, and
> of_pci_remove_node() itself never clears np->fwnode.dev
> 
> If something holds an extra ref on np past removal, e.g. a DT overlay applied via configfs that pins np through its gragment targets,
> np survives, the pci_dev is freed, and np->fwnode.dev dnalges into freed memory.
> Then fw_devlink walker that resolve it via get_dev_from_fwnode() -> get_device() would hit a use-after-free .
> 
> I think of_pci_remove_node() should cleaer the back-pointer it set,
> before dropping the node's ref, e.g.
> 
> """
> np = pci_device_to_OF_node(pdev);
> if (!np || !of_node_check_flag(np, OF_DYNAMIC))
>     return;
> 
> fw_devlink_set_device(&np->fwnode, NULL);
> device_remove_of_node(&pdev->dev);
> of_changeset_revert(np->data);
> """
> 
> Does that make sense to you ?
> 

Thanks for pointed out this issue.

I am not sure that the scenario you proposed using configfs which can lead
to the use-after-free is relevant but anyway this use-after-free is possible.

The fwnode->dev is set by of_pci_make_dev_node() and so it is consistent 
to unset it (set to NULL) in of_pci_remove_node().

I will update this patch to add the fw_devlink_set_device(&np->fwnode, NULL);
call in the next iteration.

Also I will had a new patch in the next iteration to perform same operation
for PCI root bridge. Same kind of code path, and so same issue but with
of_pci_make_host_bridge_node() and of_pci_remove_host_bridge_node().

Best regards,
Hervé

  reply	other threads:[~2026-07-02 11:24 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30 10:27 [PATCH v8 0/8] lan966x pci device: Add support for SFPs, PCI part Herve Codina
2026-06-30 10:27 ` [PATCH v8 1/8] driver core: fw_devlink: Introduce fw_devlink_set_device() Herve Codina
2026-06-30 10:27 ` [PATCH v8 2/8] drivers: core: Use fw_devlink_set_device() Herve Codina
2026-06-30 10:27 ` [PATCH v8 3/8] pinctrl: cs42l43: " Herve Codina
2026-06-30 10:27 ` [PATCH v8 4/8] cxl/test: Use device_set_node() Herve Codina
2026-06-30 10:27 ` [PATCH v8 5/8] cxl/test: Use fw_devlink_set_device() Herve Codina
2026-06-30 10:28 ` [PATCH v8 6/8] PCI: of: " Herve Codina
2026-06-30 10:28 ` [PATCH v8 7/8] PCI: of: Set fwnode device of newly created PCI device nodes Herve Codina
2026-07-02  4:02   ` Richard Cheng
2026-07-02 11:23     ` Herve Codina [this message]
2026-06-30 10:28 ` [PATCH v8 8/8] PCI: of: Remove fwnode_dev_initialized() call for a PCI root bridge node Herve Codina

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702132348.034264b6@bootlin.com \
    --to=herve.codina@bootlin.com \
    --cc=alison.schofield@intel.com \
    --cc=allan.nielsen@microchip.com \
    --cc=andrew@lunn.ch \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=bhelgaas@google.com \
    --cc=ckeepax@opensource.cirrus.com \
    --cc=dakr@kernel.org \
    --cc=daniel.machon@microchip.com \
    --cc=dave.jiang@intel.com \
    --cc=dave@stgolabs.net \
    --cc=david.rhodes@cirrus.com \
    --cc=djbw@kernel.org \
    --cc=djrscally@gmail.com \
    --cc=driver-core@lists.linux.dev \
    --cc=gregkh@linuxfoundation.org \
    --cc=heikki.krogerus@linux.intel.com \
    --cc=horatiu.vultur@microchip.com \
    --cc=icheng@nvidia.com \
    --cc=iweiny@kernel.org \
    --cc=jic23@kernel.org \
    --cc=lenb@kernel.org \
    --cc=linusw@kernel.org \
    --cc=linux-acpi@vger.kernel.org \
    --cc=linux-cxl@vger.kernel.org \
    --cc=linux-gpio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=linux-sound@vger.kernel.org \
    --cc=lizhi.hou@amd.com \
    --cc=luca.ceresoli@bootlin.com \
    --cc=ming.li@zohomail.com \
    --cc=patches@opensource.cirrus.com \
    --cc=rafael@kernel.org \
    --cc=rf@opensource.cirrus.com \
    --cc=robh@kernel.org \
    --cc=sakari.ailus@linux.intel.com \
    --cc=saravanak@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=steen.hegelund@microchip.com \
    --cc=thomas.petazzoni@bootlin.com \
    --cc=vishal.l.verma@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox