[PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv_regions
@ 2025-10-28  6:36 Miaoqian Lin
  2025-10-28 11:57 ` Robin Murphy
  2025-10-28 13:05 ` Markus Elfring
  0 siblings, 2 replies; 3+ messages in thread
From: Miaoqian Lin @ 2025-10-28  6:36 UTC (permalink / raw)
  To: Joerg Roedel, Will Deacon, Robin Murphy, Thierry Reding,
	Rob Herring, iommu, linux-kernel
  Cc: linmq006, stable

In of_iommu_get_resv_regions(), of_find_node_by_phandle() returns a device
node with its reference count incremented. The caller is responsible for
releasing this reference when the node is no longer needed.

Add a call to of_node_put() to release the reference after the usage.

Found via static analysis.

Fixes: a5bf3cfce8cb ("iommu: Implement of_iommu_get_resv_regions()")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
---
 drivers/iommu/of_iommu.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/iommu/of_iommu.c b/drivers/iommu/of_iommu.c
index 6b989a62def2..02448da8ff90 100644
--- a/drivers/iommu/of_iommu.c
+++ b/drivers/iommu/of_iommu.c
@@ -256,6 +256,7 @@ void of_iommu_get_resv_regions(struct device *dev, struct list_head *list)
 				maps = of_translate_dma_region(np, maps, &iova, &length);
 				if (length == 0) {
 					dev_warn(dev, "Cannot reserve IOVA region of 0 size\n");
+					of_node_put(np);
 					continue;
 				}
 				type = iommu_resv_region_get_type(dev, &phys, iova, length);
@@ -265,6 +266,7 @@ void of_iommu_get_resv_regions(struct device *dev, struct list_head *list)
 				if (region)
 					list_add_tail(&region->list, list);
 			}
+			of_node_put(np);
 		}
 	}
 #endif
-- 
2.39.5 (Apple Git-154)


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv_regions
  2025-10-28  6:36 [PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv_regions Miaoqian Lin
@ 2025-10-28 11:57 ` Robin Murphy
  2025-10-28 13:05 ` Markus Elfring
  1 sibling, 0 replies; 3+ messages in thread
From: Robin Murphy @ 2025-10-28 11:57 UTC (permalink / raw)
  To: Miaoqian Lin, Joerg Roedel, Will Deacon, Thierry Reding,
	Rob Herring, iommu, linux-kernel
  Cc: stable

On 2025-10-28 6:36 am, Miaoqian Lin wrote:
> In of_iommu_get_resv_regions(), of_find_node_by_phandle() returns a device
> node with its reference count incremented. The caller is responsible for
> releasing this reference when the node is no longer needed.
> 
> Add a call to of_node_put() to release the reference after the usage.

Just put the reference immediately after getting it - this inner usage 
only happens if it's the same dev->of_node we're already using for the 
outer iteration, so we don't need to bother holding an extra reference 
as it can't suddenly disappear anyway (or even if it could, that's still 
not *this* code's problem...)

Thanks,
Robin.

> Found via static analysis.
> 
> Fixes: a5bf3cfce8cb ("iommu: Implement of_iommu_get_resv_regions()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
> ---
>   drivers/iommu/of_iommu.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/iommu/of_iommu.c b/drivers/iommu/of_iommu.c
> index 6b989a62def2..02448da8ff90 100644
> --- a/drivers/iommu/of_iommu.c
> +++ b/drivers/iommu/of_iommu.c
> @@ -256,6 +256,7 @@ void of_iommu_get_resv_regions(struct device *dev, struct list_head *list)
>   				maps = of_translate_dma_region(np, maps, &iova, &length);
>   				if (length == 0) {
>   					dev_warn(dev, "Cannot reserve IOVA region of 0 size\n");
> +					of_node_put(np);
>   					continue;
>   				}
>   				type = iommu_resv_region_get_type(dev, &phys, iova, length);
> @@ -265,6 +266,7 @@ void of_iommu_get_resv_regions(struct device *dev, struct list_head *list)
>   				if (region)
>   					list_add_tail(&region->list, list);
>   			}
> +			of_node_put(np);
>   		}
>   	}
>   #endif


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv_regions
  2025-10-28  6:36 [PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv_regions Miaoqian Lin
  2025-10-28 11:57 ` Robin Murphy
@ 2025-10-28 13:05 ` Markus Elfring
  1 sibling, 0 replies; 3+ messages in thread
From: Markus Elfring @ 2025-10-28 13:05 UTC (permalink / raw)
  To: Miaoqian Lin, iommu, Jörg Rödel, Rob Herring,
	Robin Murphy, Thierry Reding, Will Deacon
  Cc: stable, LKML

…
> Add a call to of_node_put() to release the reference after the usage.
…

How do you think about to use the attribute “__free(device_node)”?
https://elixir.bootlin.com/linux/v6.18-rc3/source/include/linux/of.h#L138
https://elixir.bootlin.com/linux/v6.18-rc3/source/drivers/iommu/of_iommu.c#L196-L271

Regards,
Markus

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-10-28 13:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-28  6:36 [PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv_regions Miaoqian Lin
2025-10-28 11:57 ` Robin Murphy
2025-10-28 13:05 ` Markus Elfring

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox