From: Johan Hovold <johan@kernel.org>
To: "Yong Wu (吴勇)" <Yong.Wu@mediatek.com>
Cc: "joro@8bytes.org" <joro@8bytes.org>,
"will@kernel.org" <will@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"j@jannau.net" <j@jannau.net>,
"vdumpa@nvidia.com" <vdumpa@nvidia.com>,
"robin.murphy@arm.com" <robin.murphy@arm.com>,
"m.szyprowski@samsung.com" <m.szyprowski@samsung.com>,
"wens@csie.org" <wens@csie.org>,
"thierry.reding@gmail.com" <thierry.reding@gmail.com>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
"matthias.bgg@gmail.com" <matthias.bgg@gmail.com>,
"robin.clark@oss.qualcomm.com" <robin.clark@oss.qualcomm.com>,
"sven@kernel.org" <sven@kernel.org>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@collabora.com>
Subject: Re: [PATCH v2 06/14] iommu/mediatek: fix device leaks on probe()
Date: Mon, 20 Oct 2025 07:02:19 +0200 [thread overview]
Message-ID: <aPXCW43vFExjkVpq@hovoldconsulting.com> (raw)
In-Reply-To: <aeec9ee86b63ee892d84ab0232f372bdeccc780f.camel@mediatek.com>
On Sat, Oct 18, 2025 at 06:54:39AM +0000, Yong Wu (吴勇) wrote:
> On Tue, 2025-10-07 at 11:43 +0200, Johan Hovold wrote:
> > Make sure to drop the references taken to the larb devices during
> > probe on probe failure (e.g. probe deferral) and on driver unbind.
> >
> > Note that commit 26593928564c ("iommu/mediatek: Add error path for
> > loop
> > of mm_dts_parse") fixed the leaks in a couple of error paths, but the
> > references are still leaking on success and late failures.
> > @@ -1216,13 +1216,17 @@ static int mtk_iommu_mm_dts_parse(struct
> > device *dev, struct component_match **m
> > platform_device_put(plarbdev);
> > }
> >
> > - if (!frst_avail_smicomm_node)
> > - return -EINVAL;
> > + if (!frst_avail_smicomm_node) {
> > + ret = -EINVAL;
> > + goto err_larbdev_put;
>
> There already is a "platform_device_put(plarbdev);" at the end of "for"
> loop, then no need put_device for it outside the "for" loop or outside
> this function?
You're right, thanks for catching that.
But this means that we have an existing potential use-after-free as if,
for example, the driver probe defers we would put the reference to any
previously looked up larbs twice.
I've just sent a v3 which fixes this by dropping the
platform_device_put() after successful lookup as it is expected that the
driver keeps the references while it uses the larb devices:
https://lore.kernel.org/lkml/20251020045318.30690-1-johan@kernel.org/
Johan
next prev parent reply other threads:[~2025-10-20 5:02 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-07 9:43 [PATCH v2 00/14] iommu: fix device leaks Johan Hovold
2025-10-07 9:43 ` [PATCH v2 01/14] iommu/apple-dart: fix device leak on of_xlate() Johan Hovold
2025-10-07 9:43 ` [PATCH v2 02/14] iommu/qcom: " Johan Hovold
2025-10-07 9:43 ` [PATCH v2 03/14] iommu/exynos: " Johan Hovold
2025-10-07 9:49 ` Marek Szyprowski
2025-10-07 9:43 ` [PATCH v2 04/14] iommu/ipmmu-vmsa: " Johan Hovold
2025-10-07 9:43 ` [PATCH v2 05/14] iommu/mediatek: " Johan Hovold
2025-10-18 6:50 ` Yong Wu (吴勇)
2025-10-07 9:43 ` [PATCH v2 06/14] iommu/mediatek: fix device leaks on probe() Johan Hovold
2025-10-18 6:54 ` Yong Wu (吴勇)
2025-10-20 5:02 ` Johan Hovold [this message]
2025-10-07 9:43 ` [PATCH v2 07/14] iommu/mediatek: simplify dt parsing error handling Johan Hovold
2025-10-07 9:43 ` [PATCH v2 08/14] iommu/mediatek-v1: fix device leak on probe_device() Johan Hovold
2025-10-18 6:51 ` Yong Wu (吴勇)
2025-10-07 9:43 ` [PATCH v2 09/14] iommu/mediatek-v1: fix device leaks on probe() Johan Hovold
2025-10-07 9:43 ` [PATCH v2 10/14] iommu/mediatek-v1: add missing larb count sanity check Johan Hovold
2025-10-18 6:51 ` Yong Wu (吴勇)
2025-10-07 9:43 ` [PATCH v2 11/14] iommu/omap: fix device leaks on probe_device() Johan Hovold
2025-10-07 9:43 ` [PATCH v2 12/14] iommu/omap: simplify probe_device() error handling Johan Hovold
2025-10-07 9:43 ` [PATCH v2 13/14] iommu/sun50i: fix device leak on of_xlate() Johan Hovold
2025-10-07 9:43 ` [PATCH v2 14/14] iommu/tegra: fix device leak on probe_device() Johan Hovold
2025-10-09 7:56 ` Thierry Reding
2025-10-09 8:27 ` Johan Hovold
2025-10-09 10:15 ` Thierry Reding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPXCW43vFExjkVpq@hovoldconsulting.com \
--to=johan@kernel.org \
--cc=Yong.Wu@mediatek.com \
--cc=angelogioacchino.delregno@collabora.com \
--cc=iommu@lists.linux.dev \
--cc=j@jannau.net \
--cc=joro@8bytes.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=matthias.bgg@gmail.com \
--cc=robin.clark@oss.qualcomm.com \
--cc=robin.murphy@arm.com \
--cc=stable@vger.kernel.org \
--cc=sven@kernel.org \
--cc=thierry.reding@gmail.com \
--cc=vdumpa@nvidia.com \
--cc=wens@csie.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox