From: Zijun Hu <zijun_hu@icloud.com>
To: Vinod Koul <vkoul@kernel.org>,
Kishon Vijay Abraham I <kishon@kernel.org>,
Felipe Balbi <balbi@ti.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Rob Herring <robh@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Lee Jones <lee@kernel.org>
Cc: "Lorenzo Pieralisi" <lpieralisi@kernel.org>,
"Krzysztof Wilczyński" <kw@linux.com>,
"Bjorn Helgaas" <bhelgaas@google.com>,
"David S. Miller" <davem@davemloft.net>,
"Eric Dumazet" <edumazet@google.com>,
"Jakub Kicinski" <kuba@kernel.org>,
"Paolo Abeni" <pabeni@redhat.com>,
"Christophe JAILLET" <christophe.jaillet@wanadoo.fr>,
"Johan Hovold" <johan@kernel.org>,
"Zijun Hu" <zijun_hu@icloud.com>,
stable@vger.kernel.org, linux-phy@lists.infradead.org,
linux-kernel@vger.kernel.org,
"Zijun Hu" <quic_zijuhu@quicinc.com>,
"Johan Hovold" <johan+linaro@kernel.org>
Subject: [PATCH v3 5/6] phy: core: Fix an OF node refcount leakage in of_phy_provider_lookup()
Date: Wed, 30 Oct 2024 22:18:28 +0800 [thread overview]
Message-ID: <20241030-phy_core_fix-v3-5-19b97c3ec917@quicinc.com> (raw)
In-Reply-To: <20241030-phy_core_fix-v3-0-19b97c3ec917@quicinc.com>
From: Zijun Hu <quic_zijuhu@quicinc.com>
For macro for_each_child_of_node(parent, child), refcount of @child has
been increased before entering its loop body, so normally needs to call
of_node_put(@child) before returning from the loop body to avoid refcount
leakage.
of_phy_provider_lookup() has such usage but does not call of_node_put()
before returning, so cause leakage of the OF node refcount.
Fixed by simply calling of_node_put() before returning from the loop body.
The APIs affected by this issue are shown below since they indirectly
invoke problematic of_phy_provider_lookup().
phy_get()
of_phy_get()
devm_phy_get()
devm_of_phy_get()
devm_of_phy_get_by_index()
Fixes: 2a4c37016ca9 ("phy: core: Fix of_phy_provider_lookup to return PHY provider for sub node")
Cc: stable@vger.kernel.org
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
---
The following kernel mainline commit fixes a similar issue:
Commit: b337cc3ce475 ("backlight: lm3509_bl: Fix early returns in for_each_child_of_node()")
---
drivers/phy/phy-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c
index 3127c5d9c637..9d4cc64a0865 100644
--- a/drivers/phy/phy-core.c
+++ b/drivers/phy/phy-core.c
@@ -145,8 +145,10 @@ static struct phy_provider *of_phy_provider_lookup(struct device_node *node)
return phy_provider;
for_each_child_of_node(phy_provider->children, child)
- if (child == node)
+ if (child == node) {
+ of_node_put(child);
return phy_provider;
+ }
}
return ERR_PTR(-EPROBE_DEFER);
--
2.34.1
next prev parent reply other threads:[~2024-10-30 14:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-30 14:18 [PATCH v3 0/6] phy: core: Fix bugs for several APIs and simplify an API Zijun Hu
2024-10-30 14:18 ` [PATCH v3 1/6] phy: core: Fix that API devm_phy_put() fails to release the phy Zijun Hu
2024-10-30 14:18 ` [PATCH v3 2/6] phy: core: Fix that API devm_of_phy_provider_unregister() fails to unregister the phy provider Zijun Hu
2024-10-30 14:18 ` [PATCH v3 3/6] phy: core: Fix that API devm_phy_destroy() fails to destroy the phy Zijun Hu
2024-10-30 14:18 ` [PATCH v3 4/6] phy: core: Fix an OF node refcount leakage in _of_phy_get() Zijun Hu
2024-10-30 14:18 ` Zijun Hu [this message]
2024-10-30 14:18 ` [PATCH v3 6/6] phy: core: Simplify API of_phy_simple_xlate() implementation Zijun Hu
2024-10-30 14:21 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241030-phy_core_fix-v3-5-19b97c3ec917@quicinc.com \
--to=zijun_hu@icloud.com \
--cc=arnd@arndb.de \
--cc=balbi@ti.com \
--cc=bhelgaas@google.com \
--cc=christophe.jaillet@wanadoo.fr \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=johan+linaro@kernel.org \
--cc=johan@kernel.org \
--cc=kishon@kernel.org \
--cc=kuba@kernel.org \
--cc=kw@linux.com \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-phy@lists.infradead.org \
--cc=lpieralisi@kernel.org \
--cc=pabeni@redhat.com \
--cc=quic_zijuhu@quicinc.com \
--cc=robh@kernel.org \
--cc=stable@vger.kernel.org \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox