From: sashiko-bot@kernel.org
To: "Yuho Choi" <dbgh9129@gmail.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH v1] PCI: keystone: Fix OF node reference leak in init
Date: Tue, 30 Jun 2026 20:41:56 +0000 [thread overview]
Message-ID: <20260630204156.E84D61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260630202938.1877632-1-dbgh9129@gmail.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
Pre-existing issues:
- [High] Unbinding the `keystone-pcie` driver leaks the PCI root bus or Endpoint Controller (EPC) subsystem registration, leading to a Use-After-Free.
- [High] Unbinding the driver causes a kernel panic due to a NULL pointer dereference when tearing down device links for missing optional PHYs.
- [Medium] Missing `of_node_put(args.np)` after successful calls to `of_parse_phandle_with_fixed_args()` causes OF node reference leaks.
- [Medium] The `err_link` error path in `ks_pcie_probe()` leaks successfully allocated device links due to incorrect loop termination logic.
--
commit 7622e803c35b7f152e532145ef64528354f691a1
Author: Yuho Choi <dbgh9129@gmail.com>
PCI: keystone: Fix OF node reference leak in init
of_find_matching_node() returns a device node with its reference count
incremented. ks_pcie_init() only uses the returned node to decide whether
to register the ARM external abort fault handler, but never drops the
reference.
Store the lookup result in a temporary variable and release it with
of_node_put() once the existence check has been made.
> diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
> index 278d2dba1db08..f1b27aed488de 100644
> --- a/drivers/pci/controller/dwc/pci-keystone.c
> +++ b/drivers/pci/controller/dwc/pci-keystone.c
> @@ -1389,13 +1389,17 @@ static int ks_pcie_fault(unsigned long addr, unsigned int fsr,
>
> static int __init ks_pcie_init(void)
> {
> + struct device_node *np;
> /*
> * PCIe access errors that result into OCP errors are caught by ARM as
> * "External aborts"
> */
> - if (of_find_matching_node(NULL, ks_pcie_of_match))
> + np = of_find_matching_node(NULL, ks_pcie_of_match);
> + if (np) {
> + of_node_put(np);
> hook_fault_code(17, ks_pcie_fault, SIGBUS, 0,
> "Asynchronous external abort");
> + }
>
> return platform_driver_register(&ks_pcie_driver);
> }
While reviewing this patch, I noticed a few pre-existing issues in the same
file.
> static int ks_pcie_init_id(struct keystone_pcie *ks_pcie)
> {
[ ... ]
> /* Do not error out to maintain old DT compatibility */
> ret = of_parse_phandle_with_fixed_args(np, "ti,syscon-pcie-id", 1, 0, &args);
> if (!ret)
> offset = args.args[0];
[Severity: Medium]
This is a pre-existing issue, but does this code leak the OF node reference
by failing to call of_node_put(args.np) after the property is parsed?
The same pattern appears to exist in ks_pcie_set_mode():
> static int ks_pcie_set_mode(struct device *dev)
> {
[ ... ]
> /* Do not error out to maintain old DT compatibility */
> ret = of_parse_phandle_with_fixed_args(np, "ti,syscon-pcie-mode", 1, 0, &args);
> if (!ret)
> offset = args.args[0];
And also in ks_pcie_am654_set_mode():
> static int ks_pcie_am654_set_mode(struct device *dev,
> enum dw_pcie_device_mode mode)
> {
[ ... ]
> /* Do not error out to maintain old DT compatibility */
> ret = of_parse_phandle_with_fixed_args(np, "ti,syscon-pcie-mode", 1, 0, &args);
> if (!ret)
> offset = args.args[0];
> static int ks_pcie_probe(struct platform_device *pdev)
> {
[ ... ]
> err_link:
> while (--i >= 0 && link[i])
> device_link_del(link[i]);
>
> return ret;
> }
[Severity: Medium]
This is a pre-existing issue, but does the && link[i] condition prematurely
terminate the cleanup loop? If probe fails after skipping an optional PHY,
leaving a NULL element at index 1 while index 0 has a valid link, would this
leak the device link at index 0?
> static void ks_pcie_remove(struct platform_device *pdev)
> {
> struct keystone_pcie *ks_pcie = platform_get_drvdata(pdev);
> struct device_link **link = ks_pcie->link;
> int num_lanes = ks_pcie->num_lanes;
> struct device *dev = &pdev->dev;
>
> pm_runtime_put(dev);
> pm_runtime_disable(dev);
> ks_pcie_disable_phy(ks_pcie);
[Severity: High]
This is a pre-existing issue, but does this code leave the PCI root bus or
endpoint subsystem registered? Failing to call dw_pcie_host_deinit() or
dw_pcie_ep_deinit() before the driver structures are freed could result in a
use-after-free when unbinding the driver.
> while (num_lanes--)
> device_link_del(link[num_lanes]);
> }
[Severity: High]
This is a pre-existing issue, but can this while loop cause a NULL pointer
dereference? If an optional PHY was missing during ks_pcie_probe(),
link[num_lanes] could be NULL. Because device_link_del() does not check for
NULL before dereferencing, will unbinding the driver panic the kernel?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260630202938.1877632-1-dbgh9129@gmail.com?part=1
prev parent reply other threads:[~2026-06-30 20:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 20:29 [PATCH v1] PCI: keystone: Fix OF node reference leak in init Yuho Choi
2026-06-30 20:41 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630204156.E84D61F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dbgh9129@gmail.com \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox