[PATCH ath-next] wifi: ath12k: fix OF node refcount imbalance in WSI graph traversal

[PATCH ath-next] wifi: ath12k: fix OF node refcount imbalance in WSI graph traversal

[Aaradhana Sahu]

ath12k_core_get_wsi_info() traverses the WSI (Wired Serial Interface)
device graph starting from dev->of_node. The current code uses
dev->of_node directly as the local traversal pointer and calls
of_node_put() on error.

Since the driver does not own a reference to dev->of_node, dropping it
during traversal results in the following OF refcount underflow:

OF: ERROR: of_node_release() detected bad of_node_put() on /soc@0/wifi@c000000
CPU: 1 UID: 0 PID: 210 Comm: insmod Not tainted 6.19.0-rc4-next-20260109-00023-g797dd36dc178 #26 PREEMPT
Hardware name: Qualcomm Technologies, Inc. IPQ5332 MI01.2 (DT)
Call trace:
 show_stack+0x18/0x24 (C)
 dump_stack_lvl+0x60/0x80
 dump_stack+0x18/0x24
 of_node_release+0x164/0x1a0
 kobject_put+0xb4/0x278
 of_node_put+0x18/0x28
 ath12k_core_init+0x29c/0x5d4 [ath12k]
 ath12k_ahb_probe+0x950/0xc14 [ath12k]
 platform_probe+0x5c/0xa4
 really_probe+0xc0/0x3ec
 __driver_probe_device+0x80/0x170
 driver_probe_device+0x3c/0x120
 __driver_attach+0xc4/0x218
OF: ERROR: next of_node_put() on this node will result in a kobject warning 'refcount_t: underflow; use-after-free.'

Fix this by explicitly acquiring a reference to the starting node
using of_node_get() and attaching automatic cleanup via
__free(device_node).

Each discovered WSI node is stored in ag->wsi_node[] with its own
of_node_get() reference. These references are later released in
ath12k_core_free_wsi_info() during driver teardown.

Also remove unnecessary memset() of wsi_node array since cleanup now
explicitly sets pointers to NULL.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1

Fixes: 908c10c860e0 ("wifi: ath12k: parse multiple device information from Device Tree")
Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
---
 drivers/net/wireless/ath/ath12k/core.c | 77 ++++++++++++++++----------
 1 file changed, 48 insertions(+), 29 deletions(-)

diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
index 2519e2400d58..980a12fb2c6e 100644
--- a/drivers/net/wireless/ath/ath12k/core.c
+++ b/drivers/net/wireless/ath/ath12k/core.c
@@ -1838,10 +1838,22 @@ static struct ath12k_hw_group *ath12k_core_hw_group_alloc(struct ath12k_base *ab
 	return ag;
 }
 
+static void ath12k_core_free_wsi_info(struct ath12k_hw_group *ag)
+{
+	int i;
+
+	for (i = 0; i < ag->num_devices; i++) {
+		of_node_put(ag->wsi_node[i]);
+		ag->wsi_node[i] = NULL;
+	}
+	ag->num_devices = 0;
+}
+
 static void ath12k_core_hw_group_free(struct ath12k_hw_group *ag)
 {
 	mutex_lock(&ath12k_hw_group_mutex);
 
+	ath12k_core_free_wsi_info(ag);
 	list_del(&ag->list);
 	kfree(ag);
 
@@ -1867,52 +1879,59 @@ static struct ath12k_hw_group *ath12k_core_hw_group_find_by_dt(struct ath12k_bas
 static int ath12k_core_get_wsi_info(struct ath12k_hw_group *ag,
 				    struct ath12k_base *ab)
 {
-	struct device_node *wsi_dev = ab->dev->of_node, *next_wsi_dev;
-	struct device_node *tx_endpoint, *next_rx_endpoint;
-	int device_count = 0;
-
-	next_wsi_dev = wsi_dev;
+	struct device_node *next_wsi_dev;
+	int device_count = 0, ret = 0;
+	struct device_node *wsi_dev;
 
-	if (!next_wsi_dev)
+	wsi_dev = of_node_get(ab->dev->of_node);
+	if (!wsi_dev)
 		return -ENODEV;
 
 	do {
-		ag->wsi_node[device_count] = next_wsi_dev;
+		if (device_count >= ATH12K_MAX_DEVICES) {
+			ath12k_warn(ab, "device count in DT %d is more than limit %d\n",
+				    device_count, ATH12K_MAX_DEVICES);
+			ret = -EINVAL;
+			break;
+		}
+
+		ag->wsi_node[device_count++] = of_node_get(wsi_dev);
 
-		tx_endpoint = of_graph_get_endpoint_by_regs(next_wsi_dev, 0, -1);
+		struct device_node *tx_endpoint __free(device_node) =
+					of_graph_get_endpoint_by_regs(wsi_dev, 0, -1);
 		if (!tx_endpoint) {
-			of_node_put(next_wsi_dev);
-			return -ENODEV;
+			ret = -ENODEV;
+			break;
 		}
 
-		next_rx_endpoint = of_graph_get_remote_endpoint(tx_endpoint);
+		struct device_node *next_rx_endpoint __free(device_node) =
+					of_graph_get_remote_endpoint(tx_endpoint);
 		if (!next_rx_endpoint) {
-			of_node_put(next_wsi_dev);
-			of_node_put(tx_endpoint);
-			return -ENODEV;
+			ret = -ENODEV;
+			break;
 		}
 
-		of_node_put(tx_endpoint);
-		of_node_put(next_wsi_dev);
-
 		next_wsi_dev = of_graph_get_port_parent(next_rx_endpoint);
 		if (!next_wsi_dev) {
-			of_node_put(next_rx_endpoint);
-			return -ENODEV;
+			ret = -ENODEV;
+			break;
 		}
 
-		of_node_put(next_rx_endpoint);
+		of_node_put(wsi_dev);
+		wsi_dev = next_wsi_dev;
+	} while (ab->dev->of_node != wsi_dev);
 
-		device_count++;
-		if (device_count > ATH12K_MAX_DEVICES) {
-			ath12k_warn(ab, "device count in DT %d is more than limit %d\n",
-				    device_count, ATH12K_MAX_DEVICES);
-			of_node_put(next_wsi_dev);
-			return -EINVAL;
+	if (ret) {
+		while (--device_count >= 0) {
+			of_node_put(ag->wsi_node[device_count]);
+			ag->wsi_node[device_count] = NULL;
 		}
-	} while (wsi_dev != next_wsi_dev);
 
-	of_node_put(next_wsi_dev);
+		of_node_put(wsi_dev);
+		return ret;
+	}
+
+	of_node_put(wsi_dev);
 	ag->num_devices = device_count;
 
 	return 0;
@@ -1983,9 +2002,9 @@ static struct ath12k_hw_group *ath12k_core_hw_group_assign(struct ath12k_base *a
 		    ath12k_core_get_wsi_index(ag, ab)) {
 			ath12k_dbg(ab, ATH12K_DBG_BOOT,
 				   "unable to get wsi info from dt, grouping single device");
+			ath12k_core_free_wsi_info(ag);
 			ag->id = ATH12K_INVALID_GROUP_ID;
 			ag->num_devices = 1;
-			memset(ag->wsi_node, 0, sizeof(ag->wsi_node));
 			wsi->index = 0;
 		}
 

base-commit: ae530e0b135102c5fc08e64c39e7a18564a52b3e
-- 
2.34.1

Re: [PATCH ath-next] wifi: ath12k: fix OF node refcount imbalance in WSI graph traversal

[Baochen Qiang]

On 4/10/2026 3:13 PM, Aaradhana Sahu wrote:
> ath12k_core_get_wsi_info() traverses the WSI (Wired Serial Interface)
> device graph starting from dev->of_node. The current code uses
> dev->of_node directly as the local traversal pointer and calls
> of_node_put() on error.
> 
> Since the driver does not own a reference to dev->of_node, dropping it
> during traversal results in the following OF refcount underflow:
> 
> OF: ERROR: of_node_release() detected bad of_node_put() on /soc@0/wifi@c000000
> CPU: 1 UID: 0 PID: 210 Comm: insmod Not tainted 6.19.0-rc4-next-20260109-00023-g797dd36dc178 #26 PREEMPT
> Hardware name: Qualcomm Technologies, Inc. IPQ5332 MI01.2 (DT)
> Call trace:
>  show_stack+0x18/0x24 (C)
>  dump_stack_lvl+0x60/0x80
>  dump_stack+0x18/0x24
>  of_node_release+0x164/0x1a0
>  kobject_put+0xb4/0x278
>  of_node_put+0x18/0x28
>  ath12k_core_init+0x29c/0x5d4 [ath12k]
>  ath12k_ahb_probe+0x950/0xc14 [ath12k]
>  platform_probe+0x5c/0xa4
>  really_probe+0xc0/0x3ec
>  __driver_probe_device+0x80/0x170
>  driver_probe_device+0x3c/0x120
>  __driver_attach+0xc4/0x218
> OF: ERROR: next of_node_put() on this node will result in a kobject warning 'refcount_t: underflow; use-after-free.'
> 
> Fix this by explicitly acquiring a reference to the starting node
> using of_node_get() and attaching automatic cleanup via
> __free(device_node).
> 
> Each discovered WSI node is stored in ag->wsi_node[] with its own
> of_node_get() reference. These references are later released in
> ath12k_core_free_wsi_info() during driver teardown.
> 
> Also remove unnecessary memset() of wsi_node array since cleanup now
> explicitly sets pointers to NULL.
> 
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
> Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
> 
> Fixes: 908c10c860e0 ("wifi: ath12k: parse multiple device information from Device Tree")
> Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
> ---
>  drivers/net/wireless/ath/ath12k/core.c | 77 ++++++++++++++++----------
>  1 file changed, 48 insertions(+), 29 deletions(-)
> 
> diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
> index 2519e2400d58..980a12fb2c6e 100644
> --- a/drivers/net/wireless/ath/ath12k/core.c
> +++ b/drivers/net/wireless/ath/ath12k/core.c
> @@ -1838,10 +1838,22 @@ static struct ath12k_hw_group *ath12k_core_hw_group_alloc(struct ath12k_base *ab
>  	return ag;
>  }
>  
> +static void ath12k_core_free_wsi_info(struct ath12k_hw_group *ag)
> +{
> +	int i;
> +
> +	for (i = 0; i < ag->num_devices; i++) {
> +		of_node_put(ag->wsi_node[i]);
> +		ag->wsi_node[i] = NULL;
> +	}
> +	ag->num_devices = 0;
> +}
> +
>  static void ath12k_core_hw_group_free(struct ath12k_hw_group *ag)
>  {
>  	mutex_lock(&ath12k_hw_group_mutex);
>  
> +	ath12k_core_free_wsi_info(ag);
>  	list_del(&ag->list);
>  	kfree(ag);
>  
> @@ -1867,52 +1879,59 @@ static struct ath12k_hw_group *ath12k_core_hw_group_find_by_dt(struct ath12k_bas
>  static int ath12k_core_get_wsi_info(struct ath12k_hw_group *ag,
>  				    struct ath12k_base *ab)
>  {
> -	struct device_node *wsi_dev = ab->dev->of_node, *next_wsi_dev;
> -	struct device_node *tx_endpoint, *next_rx_endpoint;
> -	int device_count = 0;
> -
> -	next_wsi_dev = wsi_dev;
> +	struct device_node *next_wsi_dev;
> +	int device_count = 0, ret = 0;
> +	struct device_node *wsi_dev;
>  
> -	if (!next_wsi_dev)
> +	wsi_dev = of_node_get(ab->dev->of_node);
> +	if (!wsi_dev)
>  		return -ENODEV;
>  
>  	do {
> -		ag->wsi_node[device_count] = next_wsi_dev;
> +		if (device_count >= ATH12K_MAX_DEVICES) {
> +			ath12k_warn(ab, "device count in DT %d is more than limit %d\n",
> +				    device_count, ATH12K_MAX_DEVICES);
> +			ret = -EINVAL;
> +			break;
> +		}
> +
> +		ag->wsi_node[device_count++] = of_node_get(wsi_dev);
>  
> -		tx_endpoint = of_graph_get_endpoint_by_regs(next_wsi_dev, 0, -1);
> +		struct device_node *tx_endpoint __free(device_node) =
> +					of_graph_get_endpoint_by_regs(wsi_dev, 0, -1);
>  		if (!tx_endpoint) {
> -			of_node_put(next_wsi_dev);
> -			return -ENODEV;
> +			ret = -ENODEV;
> +			break;
>  		}
>  
> -		next_rx_endpoint = of_graph_get_remote_endpoint(tx_endpoint);
> +		struct device_node *next_rx_endpoint __free(device_node) =
> +					of_graph_get_remote_endpoint(tx_endpoint);
>  		if (!next_rx_endpoint) {
> -			of_node_put(next_wsi_dev);
> -			of_node_put(tx_endpoint);
> -			return -ENODEV;
> +			ret = -ENODEV;
> +			break;
>  		}
>  
> -		of_node_put(tx_endpoint);
> -		of_node_put(next_wsi_dev);
> -
>  		next_wsi_dev = of_graph_get_port_parent(next_rx_endpoint);
>  		if (!next_wsi_dev) {
> -			of_node_put(next_rx_endpoint);
> -			return -ENODEV;
> +			ret = -ENODEV;
> +			break;
>  		}
>  
> -		of_node_put(next_rx_endpoint);
> +		of_node_put(wsi_dev);
> +		wsi_dev = next_wsi_dev;
> +	} while (ab->dev->of_node != wsi_dev);
>  
> -		device_count++;
> -		if (device_count > ATH12K_MAX_DEVICES) {
> -			ath12k_warn(ab, "device count in DT %d is more than limit %d\n",
> -				    device_count, ATH12K_MAX_DEVICES);
> -			of_node_put(next_wsi_dev);
> -			return -EINVAL;
> +	if (ret) {
> +		while (--device_count >= 0) {
> +			of_node_put(ag->wsi_node[device_count]);
> +			ag->wsi_node[device_count] = NULL;
>  		}
> -	} while (wsi_dev != next_wsi_dev);
>  
> -	of_node_put(next_wsi_dev);
> +		of_node_put(wsi_dev);
> +		return ret;
> +	}
> +
> +	of_node_put(wsi_dev);
>  	ag->num_devices = device_count;
>  
>  	return 0;
> @@ -1983,9 +2002,9 @@ static struct ath12k_hw_group *ath12k_core_hw_group_assign(struct ath12k_base *a
>  		    ath12k_core_get_wsi_index(ag, ab)) {
>  			ath12k_dbg(ab, ATH12K_DBG_BOOT,
>  				   "unable to get wsi info from dt, grouping single device");
> +			ath12k_core_free_wsi_info(ag);
>  			ag->id = ATH12K_INVALID_GROUP_ID;
>  			ag->num_devices = 1;
> -			memset(ag->wsi_node, 0, sizeof(ag->wsi_node));
>  			wsi->index = 0;
>  		}
>  
> 
> base-commit: ae530e0b135102c5fc08e64c39e7a18564a52b3e

Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>

Re: [PATCH ath-next] wifi: ath12k: fix OF node refcount imbalance in WSI graph traversal

[Rameshkumar Sundaram]

On 4/10/2026 12:43 PM, Aaradhana Sahu wrote:
> ath12k_core_get_wsi_info() traverses the WSI (Wired Serial Interface)
> device graph starting from dev->of_node. The current code uses
> dev->of_node directly as the local traversal pointer and calls
> of_node_put() on error.
> 
> Since the driver does not own a reference to dev->of_node, dropping it
> during traversal results in the following OF refcount underflow:
> 
> OF: ERROR: of_node_release() detected bad of_node_put() on /soc@0/wifi@c000000
> CPU: 1 UID: 0 PID: 210 Comm: insmod Not tainted 6.19.0-rc4-next-20260109-00023-g797dd36dc178 #26 PREEMPT
> Hardware name: Qualcomm Technologies, Inc. IPQ5332 MI01.2 (DT)
> Call trace:
>   show_stack+0x18/0x24 (C)
>   dump_stack_lvl+0x60/0x80
>   dump_stack+0x18/0x24
>   of_node_release+0x164/0x1a0
>   kobject_put+0xb4/0x278
>   of_node_put+0x18/0x28
>   ath12k_core_init+0x29c/0x5d4 [ath12k]
>   ath12k_ahb_probe+0x950/0xc14 [ath12k]
>   platform_probe+0x5c/0xa4
>   really_probe+0xc0/0x3ec
>   __driver_probe_device+0x80/0x170
>   driver_probe_device+0x3c/0x120
>   __driver_attach+0xc4/0x218
> OF: ERROR: next of_node_put() on this node will result in a kobject warning 'refcount_t: underflow; use-after-free.'
> 
> Fix this by explicitly acquiring a reference to the starting node
> using of_node_get() and attaching automatic cleanup via
> __free(device_node).
> 
> Each discovered WSI node is stored in ag->wsi_node[] with its own
> of_node_get() reference. These references are later released in
> ath12k_core_free_wsi_info() during driver teardown.
> 
> Also remove unnecessary memset() of wsi_node array since cleanup now
> explicitly sets pointers to NULL.
> 
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
> Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
> 
> Fixes: 908c10c860e0 ("wifi: ath12k: parse multiple device information from Device Tree")
> Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>

Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>

Re: [PATCH ath-next] wifi: ath12k: fix OF node refcount imbalance in WSI graph traversal

[Jeff Johnson]

On Fri, 10 Apr 2026 12:43:00 +0530, Aaradhana Sahu wrote:
> ath12k_core_get_wsi_info() traverses the WSI (Wired Serial Interface)
> device graph starting from dev->of_node. The current code uses
> dev->of_node directly as the local traversal pointer and calls
> of_node_put() on error.
> 
> Since the driver does not own a reference to dev->of_node, dropping it
> during traversal results in the following OF refcount underflow:
> 
> [...]

Applied, thanks!

[1/1] wifi: ath12k: fix OF node refcount imbalance in WSI graph traversal
      commit: f3ba9e05cc7b65f41f58bb4808f6c3a8f7894bb1

Best regards,
-- 
Jeff Johnson <jeff.johnson@oss.qualcomm.com>