From: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
To: Johan Hovold <johan@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Walleij <linus.walleij@linaro.org>,
Peter Chen <peter.chen@freescale.com>,
Rob Herring <robh@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Sricharan R <sricharan@codeaurora.org>,
Zhang Rui <rui.zhang@intel.com>,
Eduardo Valentin <edubezval@gmail.com>,
linux-pm@vger.kernel.org, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org, stable <stable@vger.kernel.org>,
Laxman Dewangan <ldewangan@nvidia.com>
Subject: Re: [PATCH 6/7] thermal: max77620: fix device-node reference imbalance
Date: Tue, 30 May 2017 15:59:10 -0700 [thread overview]
Message-ID: <41a7b947-579f-e9ba-188d-699e7ff0b27d@linux.vnet.ibm.com> (raw)
In-Reply-To: <20170530162554.26159-7-johan@kernel.org>
On 05/30/2017 09:25 AM, Johan Hovold wrote:
> The thermal child device reuses the parent MFD-device device-tree node
> when registering a thermal zone, but did not take a reference to the
> node.
>
> This leads to a reference imbalance, and potential use-after-free, when
> the node reference is dropped by the platform-bus device destructor
> (once for the child and later again for the parent).
>
> Fix this by dropping any reference already held to a device-tree node
> and getting a reference to the parent's node which will be balanced on
> reprobe or on platform-device release, whichever comes first.
>
> Note that simply clearing the of_node pointer on probe errors and on
> driver unbind would not allow the use of device-managed resources as
> specifically thermal_zone_of_sensor_unregister() claims that a valid
> device-tree node pointer is needed during deregistration (even if it
> currently does not seem to use it).
>
> Fixes: ec4664b3fd6d ("thermal: max77620: Add thermal driver for reporting junction temp")
> Cc: stable <stable@vger.kernel.org> # 4.9
> Cc: Laxman Dewangan <ldewangan@nvidia.com>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> drivers/thermal/max77620_thermal.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/thermal/max77620_thermal.c b/drivers/thermal/max77620_thermal.c
> index e9a1fe342760..71d35f3c9215 100644
> --- a/drivers/thermal/max77620_thermal.c
> +++ b/drivers/thermal/max77620_thermal.c
> @@ -104,8 +104,6 @@ static int max77620_thermal_probe(struct platform_device *pdev)
> return -EINVAL;
> }
>
> - pdev->dev.of_node = pdev->dev.parent->of_node;
> -
> mtherm->dev = &pdev->dev;
> mtherm->rmap = dev_get_regmap(pdev->dev.parent, NULL);
> if (!mtherm->rmap) {
> @@ -113,6 +111,14 @@ static int max77620_thermal_probe(struct platform_device *pdev)
> return -ENODEV;
> }
>
> + /*
> + * Drop any current reference to a device-tree node and get a
> + * reference to the parent's node which will be balanced on reprobe or
> + * on platform-device release.
> + */
> + of_node_put(pdev->dev.of_node);
> + pdev->dev.of_node = of_node_get(pdev->dev.parent->of_node);
> +
This seems like needless churn. Can't this just be squashed into patch #7?
-Tyrel
> mtherm->tz_device = devm_thermal_zone_of_sensor_register(&pdev->dev, 0,
> mtherm, &max77620_thermal_ops);
> if (IS_ERR(mtherm->tz_device)) {
>
next prev parent reply other threads:[~2017-05-30 22:59 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-30 16:25 [PATCH 0/7] driver core/USB/thermal: fix device-tree node reuse Johan Hovold
2017-05-30 16:25 ` [PATCH 1/7] USB: core: fix device node leak Johan Hovold
2017-05-30 22:55 ` Tyrel Datwyler
[not found] ` <9aff0d42-ff3e-963a-7aaa-752c2f592d0d-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-05-31 8:25 ` Johan Hovold
[not found] ` <20170530162554.26159-2-johan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2017-06-05 3:35 ` Peter Chen
2017-05-30 16:25 ` [PATCH 2/7] USB: of: document reference taken by child-lookup helper Johan Hovold
2017-05-30 22:40 ` Tyrel Datwyler
2017-06-06 15:38 ` Johan Hovold
2017-05-30 16:25 ` [PATCH 3/7] driver core: add helper to reuse a device-tree node Johan Hovold
2017-05-30 22:52 ` kbuild test robot
[not found] ` <201705310637.M1OKh99R%fengguang.wu-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-05-31 8:38 ` Johan Hovold
2017-05-30 16:25 ` [PATCH 4/7] driver core: fix automatic pinctrl management Johan Hovold
[not found] ` <20170530162554.26159-5-johan-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2017-05-31 0:39 ` Linus Walleij
[not found] ` <CACRpkda2PFrua01uKy3b2Zvqi3SH1i0tsxOfWhNP8bB7RCo45g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-31 8:35 ` Johan Hovold
2017-05-30 16:25 ` [PATCH 5/7] USB: of: fix root-hub device-tree node handling Johan Hovold
2017-06-05 4:51 ` Peter Chen
2017-06-06 15:44 ` Johan Hovold
2017-05-30 16:25 ` [PATCH 6/7] thermal: max77620: fix device-node reference imbalance Johan Hovold
2017-05-30 22:59 ` Tyrel Datwyler [this message]
2017-05-31 8:28 ` Johan Hovold
2017-05-30 16:25 ` [PATCH 7/7] thermal: max77620: fix pinmux conflict on reprobe Johan Hovold
2017-05-30 18:57 ` Eduardo Valentin
2017-05-31 8:23 ` Johan Hovold
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41a7b947-579f-e9ba-188d-699e7ff0b27d@linux.vnet.ibm.com \
--to=tyreld@linux.vnet.ibm.com \
--cc=arnd@arndb.de \
--cc=edubezval@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=johan@kernel.org \
--cc=ldewangan@nvidia.com \
--cc=linus.walleij@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=peter.chen@freescale.com \
--cc=robh@kernel.org \
--cc=rui.zhang@intel.com \
--cc=sricharan@codeaurora.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).