From: sashiko-bot@kernel.org
To: "Herve Codina" <herve.codina@bootlin.com>
Cc: linux-cxl@vger.kernel.org, linux-pci@vger.kernel.org
Subject: Re: [PATCH v8 7/8] PCI: of: Set fwnode device of newly created PCI device nodes
Date: Tue, 30 Jun 2026 11:23:33 +0000 [thread overview]
Message-ID: <20260630112334.5D0151F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630102804.413563-8-herve.codina@bootlin.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Dangling `fwnode->dev` pointer leads to Use-After-Free during PCI device or host bridge removal.
--
commit 282379de7d271ef07bfe62ea73e0c684092059cd
Author: Herve Codina <herve.codina@bootlin.com>
PCI: of: Set fwnode device of newly created PCI device nodes
This commit sets the fwnode device field for dynamically created PCI
device nodes. This ensures fw_devlink uses the correct PCI device as a
supplier rather than walking up to the PCI root bridge device.
> diff --git a/drivers/pci/of.c b/drivers/pci/of.c
> index ee9eb384b377a..eda14cefca5e7 100644
> --- a/drivers/pci/of.c
> +++ b/drivers/pci/of.c
> @@ -709,6 +709,13 @@ void of_pci_make_dev_node(struct pci_dev *pdev)
> if (ret)
> goto out_free_node;
>
> + /*
> + * Set the fwnode device in order to have fw_devlink creating links
> + * pointing to this PCI device instead of walking up to the PCI host
> + * bridge.
> + */
> + fw_devlink_set_device(&np->fwnode, &pdev->dev);
[Severity: High]
Could this leave a dangling pointer in np->fwnode.dev resulting in a
use-after-free during device removal?
When of_pci_remove_node() is called during teardown, it executes
device_remove_of_node(&pdev->dev) which clears pdev->dev.fwnode early.
When device_del() runs later, its standard cleanup logic relies on the
fwnode pointer still being intact on the device:
if (dev->fwnode && dev->fwnode->dev == dev)
fw_devlink_set_device(dev->fwnode, NULL);
Since pdev->dev.fwnode is already NULL from the earlier call, this cleanup
is bypassed. If any reference to the OF node is held after the PCI device
is freed, np->fwnode.dev will still point to the freed pdev->dev structure.
Does of_pci_remove_node() (and similarly of_pci_remove_host_bridge_node())
need to manually call fw_devlink_set_device(&np->fwnode, NULL) to clear
this safely before the node is removed?
> +
> ret = of_changeset_apply(cset);
> if (ret)
> goto out_free_node;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630102804.413563-1-herve.codina@bootlin.com?part=7
next prev parent reply other threads:[~2026-06-30 11:23 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 10:27 [PATCH v8 0/8] lan966x pci device: Add support for SFPs, PCI part Herve Codina
2026-06-30 10:27 ` [PATCH v8 1/8] driver core: fw_devlink: Introduce fw_devlink_set_device() Herve Codina
2026-06-30 10:41 ` sashiko-bot
2026-06-30 10:27 ` [PATCH v8 2/8] drivers: core: Use fw_devlink_set_device() Herve Codina
2026-06-30 10:45 ` sashiko-bot
2026-06-30 10:27 ` [PATCH v8 3/8] pinctrl: cs42l43: " Herve Codina
2026-06-30 10:52 ` sashiko-bot
2026-06-30 10:27 ` [PATCH v8 4/8] cxl/test: Use device_set_node() Herve Codina
2026-06-30 10:55 ` sashiko-bot
2026-06-30 10:27 ` [PATCH v8 5/8] cxl/test: Use fw_devlink_set_device() Herve Codina
2026-06-30 10:57 ` sashiko-bot
2026-06-30 10:28 ` [PATCH v8 6/8] PCI: of: " Herve Codina
2026-06-30 11:09 ` sashiko-bot
2026-06-30 10:28 ` [PATCH v8 7/8] PCI: of: Set fwnode device of newly created PCI device nodes Herve Codina
2026-06-30 11:23 ` sashiko-bot [this message]
2026-06-30 10:28 ` [PATCH v8 8/8] PCI: of: Remove fwnode_dev_initialized() call for a PCI root bridge node Herve Codina
2026-06-30 11:32 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630112334.5D0151F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=herve.codina@bootlin.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox