From: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
To: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>,
ath12k@lists.infradead.org
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH ath-next] wifi: ath12k: fix OF node refcount imbalance in WSI graph traversal
Date: Tue, 21 Apr 2026 10:56:13 +0800 [thread overview]
Message-ID: <f77c1e60-d0c4-4220-ba13-fd649a2edbef@oss.qualcomm.com> (raw)
In-Reply-To: <20260410071300.2323603-1-aaradhana.sahu@oss.qualcomm.com>
On 4/10/2026 3:13 PM, Aaradhana Sahu wrote:
> ath12k_core_get_wsi_info() traverses the WSI (Wired Serial Interface)
> device graph starting from dev->of_node. The current code uses
> dev->of_node directly as the local traversal pointer and calls
> of_node_put() on error.
>
> Since the driver does not own a reference to dev->of_node, dropping it
> during traversal results in the following OF refcount underflow:
>
> OF: ERROR: of_node_release() detected bad of_node_put() on /soc@0/wifi@c000000
> CPU: 1 UID: 0 PID: 210 Comm: insmod Not tainted 6.19.0-rc4-next-20260109-00023-g797dd36dc178 #26 PREEMPT
> Hardware name: Qualcomm Technologies, Inc. IPQ5332 MI01.2 (DT)
> Call trace:
> show_stack+0x18/0x24 (C)
> dump_stack_lvl+0x60/0x80
> dump_stack+0x18/0x24
> of_node_release+0x164/0x1a0
> kobject_put+0xb4/0x278
> of_node_put+0x18/0x28
> ath12k_core_init+0x29c/0x5d4 [ath12k]
> ath12k_ahb_probe+0x950/0xc14 [ath12k]
> platform_probe+0x5c/0xa4
> really_probe+0xc0/0x3ec
> __driver_probe_device+0x80/0x170
> driver_probe_device+0x3c/0x120
> __driver_attach+0xc4/0x218
> OF: ERROR: next of_node_put() on this node will result in a kobject warning 'refcount_t: underflow; use-after-free.'
>
> Fix this by explicitly acquiring a reference to the starting node
> using of_node_get() and attaching automatic cleanup via
> __free(device_node).
>
> Each discovered WSI node is stored in ag->wsi_node[] with its own
> of_node_get() reference. These references are later released in
> ath12k_core_free_wsi_info() during driver teardown.
>
> Also remove unnecessary memset() of wsi_node array since cleanup now
> explicitly sets pointers to NULL.
>
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
> Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
>
> Fixes: 908c10c860e0 ("wifi: ath12k: parse multiple device information from Device Tree")
> Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath12k/core.c | 77 ++++++++++++++++----------
> 1 file changed, 48 insertions(+), 29 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
> index 2519e2400d58..980a12fb2c6e 100644
> --- a/drivers/net/wireless/ath/ath12k/core.c
> +++ b/drivers/net/wireless/ath/ath12k/core.c
> @@ -1838,10 +1838,22 @@ static struct ath12k_hw_group *ath12k_core_hw_group_alloc(struct ath12k_base *ab
> return ag;
> }
>
> +static void ath12k_core_free_wsi_info(struct ath12k_hw_group *ag)
> +{
> + int i;
> +
> + for (i = 0; i < ag->num_devices; i++) {
> + of_node_put(ag->wsi_node[i]);
> + ag->wsi_node[i] = NULL;
> + }
> + ag->num_devices = 0;
> +}
> +
> static void ath12k_core_hw_group_free(struct ath12k_hw_group *ag)
> {
> mutex_lock(&ath12k_hw_group_mutex);
>
> + ath12k_core_free_wsi_info(ag);
> list_del(&ag->list);
> kfree(ag);
>
> @@ -1867,52 +1879,59 @@ static struct ath12k_hw_group *ath12k_core_hw_group_find_by_dt(struct ath12k_bas
> static int ath12k_core_get_wsi_info(struct ath12k_hw_group *ag,
> struct ath12k_base *ab)
> {
> - struct device_node *wsi_dev = ab->dev->of_node, *next_wsi_dev;
> - struct device_node *tx_endpoint, *next_rx_endpoint;
> - int device_count = 0;
> -
> - next_wsi_dev = wsi_dev;
> + struct device_node *next_wsi_dev;
> + int device_count = 0, ret = 0;
> + struct device_node *wsi_dev;
>
> - if (!next_wsi_dev)
> + wsi_dev = of_node_get(ab->dev->of_node);
> + if (!wsi_dev)
> return -ENODEV;
>
> do {
> - ag->wsi_node[device_count] = next_wsi_dev;
> + if (device_count >= ATH12K_MAX_DEVICES) {
> + ath12k_warn(ab, "device count in DT %d is more than limit %d\n",
> + device_count, ATH12K_MAX_DEVICES);
> + ret = -EINVAL;
> + break;
> + }
> +
> + ag->wsi_node[device_count++] = of_node_get(wsi_dev);
>
> - tx_endpoint = of_graph_get_endpoint_by_regs(next_wsi_dev, 0, -1);
> + struct device_node *tx_endpoint __free(device_node) =
> + of_graph_get_endpoint_by_regs(wsi_dev, 0, -1);
> if (!tx_endpoint) {
> - of_node_put(next_wsi_dev);
> - return -ENODEV;
> + ret = -ENODEV;
> + break;
> }
>
> - next_rx_endpoint = of_graph_get_remote_endpoint(tx_endpoint);
> + struct device_node *next_rx_endpoint __free(device_node) =
> + of_graph_get_remote_endpoint(tx_endpoint);
> if (!next_rx_endpoint) {
> - of_node_put(next_wsi_dev);
> - of_node_put(tx_endpoint);
> - return -ENODEV;
> + ret = -ENODEV;
> + break;
> }
>
> - of_node_put(tx_endpoint);
> - of_node_put(next_wsi_dev);
> -
> next_wsi_dev = of_graph_get_port_parent(next_rx_endpoint);
> if (!next_wsi_dev) {
> - of_node_put(next_rx_endpoint);
> - return -ENODEV;
> + ret = -ENODEV;
> + break;
> }
>
> - of_node_put(next_rx_endpoint);
> + of_node_put(wsi_dev);
> + wsi_dev = next_wsi_dev;
> + } while (ab->dev->of_node != wsi_dev);
>
> - device_count++;
> - if (device_count > ATH12K_MAX_DEVICES) {
> - ath12k_warn(ab, "device count in DT %d is more than limit %d\n",
> - device_count, ATH12K_MAX_DEVICES);
> - of_node_put(next_wsi_dev);
> - return -EINVAL;
> + if (ret) {
> + while (--device_count >= 0) {
> + of_node_put(ag->wsi_node[device_count]);
> + ag->wsi_node[device_count] = NULL;
> }
> - } while (wsi_dev != next_wsi_dev);
>
> - of_node_put(next_wsi_dev);
> + of_node_put(wsi_dev);
> + return ret;
> + }
> +
> + of_node_put(wsi_dev);
> ag->num_devices = device_count;
>
> return 0;
> @@ -1983,9 +2002,9 @@ static struct ath12k_hw_group *ath12k_core_hw_group_assign(struct ath12k_base *a
> ath12k_core_get_wsi_index(ag, ab)) {
> ath12k_dbg(ab, ATH12K_DBG_BOOT,
> "unable to get wsi info from dt, grouping single device");
> + ath12k_core_free_wsi_info(ag);
> ag->id = ATH12K_INVALID_GROUP_ID;
> ag->num_devices = 1;
> - memset(ag->wsi_node, 0, sizeof(ag->wsi_node));
> wsi->index = 0;
> }
>
>
> base-commit: ae530e0b135102c5fc08e64c39e7a18564a52b3e
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
next prev parent reply other threads:[~2026-04-21 2:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 7:13 [PATCH ath-next] wifi: ath12k: fix OF node refcount imbalance in WSI graph traversal Aaradhana Sahu
2026-04-21 2:56 ` Baochen Qiang [this message]
2026-04-21 5:30 ` Rameshkumar Sundaram
2026-04-23 18:00 ` Jeff Johnson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f77c1e60-d0c4-4220-ba13-fd649a2edbef@oss.qualcomm.com \
--to=baochen.qiang@oss.qualcomm.com \
--cc=aaradhana.sahu@oss.qualcomm.com \
--cc=ath12k@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox