From: Herve Codina <herve.codina@bootlin.com>
To: Richard Cheng <icheng@nvidia.com>
Cc: Andrew Lunn <andrew@lunn.ch>, Rob Herring <robh@kernel.org>,
Saravana Kannan <saravanak@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Danilo Krummrich <dakr@kernel.org>,
Bjorn Helgaas <bhelgaas@google.com>,
David Rhodes <david.rhodes@cirrus.com>,
Richard Fitzgerald <rf@opensource.cirrus.com>,
Charles Keepax <ckeepax@opensource.cirrus.com>,
Linus Walleij <linusw@kernel.org>, Len Brown <lenb@kernel.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Daniel Scally <djrscally@gmail.com>,
Heikki Krogerus <heikki.krogerus@linux.intel.com>,
Sakari Ailus <sakari.ailus@linux.intel.com>,
Davidlohr Bueso <dave@stgolabs.net>,
Jonathan Cameron <jic23@kernel.org>,
Dave Jiang <dave.jiang@intel.com>,
Alison Schofield <alison.schofield@intel.com>,
Vishal Verma <vishal.l.verma@intel.com>,
Dan Williams <djbw@kernel.org>, Ira Weiny <iweiny@kernel.org>,
Li Ming <ming.li@zohomail.com>, Lizhi Hou <lizhi.hou@amd.com>,
driver-core@lists.linux.dev, linux-kernel@vger.kernel.org,
linux-pci@vger.kernel.org, linux-sound@vger.kernel.org,
patches@opensource.cirrus.com, linux-gpio@vger.kernel.org,
linux-acpi@vger.kernel.org, linux-cxl@vger.kernel.org,
Allan Nielsen <allan.nielsen@microchip.com>,
Horatiu Vultur <horatiu.vultur@microchip.com>,
Daniel Machon <daniel.machon@microchip.com>,
Steen Hegelund <steen.hegelund@microchip.com>,
Luca Ceresoli <luca.ceresoli@bootlin.com>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
stable@vger.kernel.org
Subject: Re: [PATCH v8 7/8] PCI: of: Set fwnode device of newly created PCI device nodes
Date: Thu, 2 Jul 2026 13:23:48 +0200 [thread overview]
Message-ID: <20260702132348.034264b6@bootlin.com> (raw)
In-Reply-To: <akXg4G4ksietvkwE@MWDK4CY14F>
Hi Richard,
On Thu, 2 Jul 2026 12:02:35 +0800
Richard Cheng <icheng@nvidia.com> wrote:
> > @@ -709,6 +709,13 @@ void of_pci_make_dev_node(struct pci_dev *pdev)
> > if (ret)
> > goto out_free_node;
> >
> > + /*
> > + * Set the fwnode device in order to have fw_devlink creating links
> > + * pointing to this PCI device instead of walking up to the PCI host
> > + * bridge.
> > + */
> > + fw_devlink_set_device(&np->fwnode, &pdev->dev);
> > +
> > ret = of_changeset_apply(cset);
> > if (ret)
> > goto out_free_node;
> > --
> > 2.54.0
> >
> >
>
> Hi Herve,
>
> I wonder if this part has some issue, it sets np->fwnode.dev = &pdev->dev,
> but I don't see am matching clear on removal path, I doubt the back-pointer
> can outlive the pci_dev.
>
> device_del() do the check
> """
> if (dev->fwnode && dev->fwnode->dev == dev)
> fw_devlink_set_device(dev->fwnode, NULL);
> """
>
> On removal, pci_stop_dev() calls of_pci_remove_node() before pci_destroy_dev()
> calls device_del(), and of_pci_remove_node() -> device_remove_of_node() has already NULLed pdev->dev.fwnode by then, so the "dev->fwnode" guard is false, and
> of_pci_remove_node() itself never clears np->fwnode.dev
>
> If something holds an extra ref on np past removal, e.g. a DT overlay applied via configfs that pins np through its gragment targets,
> np survives, the pci_dev is freed, and np->fwnode.dev dnalges into freed memory.
> Then fw_devlink walker that resolve it via get_dev_from_fwnode() -> get_device() would hit a use-after-free .
>
> I think of_pci_remove_node() should cleaer the back-pointer it set,
> before dropping the node's ref, e.g.
>
> """
> np = pci_device_to_OF_node(pdev);
> if (!np || !of_node_check_flag(np, OF_DYNAMIC))
> return;
>
> fw_devlink_set_device(&np->fwnode, NULL);
> device_remove_of_node(&pdev->dev);
> of_changeset_revert(np->data);
> """
>
> Does that make sense to you ?
>
Thanks for pointed out this issue.
I am not sure that the scenario you proposed using configfs which can lead
to the use-after-free is relevant but anyway this use-after-free is possible.
The fwnode->dev is set by of_pci_make_dev_node() and so it is consistent
to unset it (set to NULL) in of_pci_remove_node().
I will update this patch to add the fw_devlink_set_device(&np->fwnode, NULL);
call in the next iteration.
Also I will had a new patch in the next iteration to perform same operation
for PCI root bridge. Same kind of code path, and so same issue but with
of_pci_make_host_bridge_node() and of_pci_remove_host_bridge_node().
Best regards,
Hervé
next prev parent reply other threads:[~2026-07-02 11:24 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 10:27 [PATCH v8 0/8] lan966x pci device: Add support for SFPs, PCI part Herve Codina
2026-06-30 10:27 ` [PATCH v8 1/8] driver core: fw_devlink: Introduce fw_devlink_set_device() Herve Codina
2026-06-30 10:27 ` [PATCH v8 2/8] drivers: core: Use fw_devlink_set_device() Herve Codina
2026-06-30 10:27 ` [PATCH v8 3/8] pinctrl: cs42l43: " Herve Codina
2026-06-30 10:27 ` [PATCH v8 4/8] cxl/test: Use device_set_node() Herve Codina
2026-06-30 10:27 ` [PATCH v8 5/8] cxl/test: Use fw_devlink_set_device() Herve Codina
2026-06-30 10:28 ` [PATCH v8 6/8] PCI: of: " Herve Codina
2026-06-30 10:28 ` [PATCH v8 7/8] PCI: of: Set fwnode device of newly created PCI device nodes Herve Codina
2026-07-02 4:02 ` Richard Cheng
2026-07-02 11:23 ` Herve Codina [this message]
2026-06-30 10:28 ` [PATCH v8 8/8] PCI: of: Remove fwnode_dev_initialized() call for a PCI root bridge node Herve Codina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702132348.034264b6@bootlin.com \
--to=herve.codina@bootlin.com \
--cc=alison.schofield@intel.com \
--cc=allan.nielsen@microchip.com \
--cc=andrew@lunn.ch \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bhelgaas@google.com \
--cc=ckeepax@opensource.cirrus.com \
--cc=dakr@kernel.org \
--cc=daniel.machon@microchip.com \
--cc=dave.jiang@intel.com \
--cc=dave@stgolabs.net \
--cc=david.rhodes@cirrus.com \
--cc=djbw@kernel.org \
--cc=djrscally@gmail.com \
--cc=driver-core@lists.linux.dev \
--cc=gregkh@linuxfoundation.org \
--cc=heikki.krogerus@linux.intel.com \
--cc=horatiu.vultur@microchip.com \
--cc=icheng@nvidia.com \
--cc=iweiny@kernel.org \
--cc=jic23@kernel.org \
--cc=lenb@kernel.org \
--cc=linusw@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-gpio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=lizhi.hou@amd.com \
--cc=luca.ceresoli@bootlin.com \
--cc=ming.li@zohomail.com \
--cc=patches@opensource.cirrus.com \
--cc=rafael@kernel.org \
--cc=rf@opensource.cirrus.com \
--cc=robh@kernel.org \
--cc=sakari.ailus@linux.intel.com \
--cc=saravanak@kernel.org \
--cc=stable@vger.kernel.org \
--cc=steen.hegelund@microchip.com \
--cc=thomas.petazzoni@bootlin.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox