From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Pei Xiao <xiaopei01@kylinos.cn>,
Guenter Roeck <linux@roeck-us.net>,
Sasha Levin <sashal@kernel.org>,
linux-hwmon@vger.kernel.org
Subject: [PATCH AUTOSEL 6.18-6.17] hwmon: (emc2305) fix double put in emc2305_probe_childs_from_dt
Date: Thu, 11 Dec 2025 21:08:55 -0500 [thread overview]
Message-ID: <20251212020903.4153935-3-sashal@kernel.org> (raw)
In-Reply-To: <20251212020903.4153935-1-sashal@kernel.org>
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit 541dfb49dcb80c2509e030842de77adfb77820f5 ]
./drivers/hwmon/emc2305.c:597:4-15: ERROR: probable double put
Device node iterators put the previous value of the index variable, so an
explicit put causes a double put.
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://lore.kernel.org/r/tencent_CD373F952BE48697C949E39CB5EB77841D06@qq.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
## Analysis Summary
### What the Bug Is
This commit fixes a **double reference count decrement (double put)** on
a device_node structure in the `emc2305_probe_childs_from_dt()`
function.
**Technical explanation:**
1. The `for_each_child_of_node()` macro uses `of_get_next_child()`
internally for iteration
2. As confirmed in the kernel documentation, `of_get_next_child()`
"**Decrements the refcount of prev**" automatically when advancing to
the next child
3. The buggy code explicitly calls `of_node_put(child)` before
`continue`
4. When the loop continues, `of_get_next_child()` decrements the
refcount again → **double put**
**Impact:** Double put causes reference count underflow which can lead
to:
- Use-after-free vulnerabilities
- Memory corruption
- Kernel crashes/instability
### Stable Tree Criteria Evaluation
| Criteria | Met? | Details |
|----------|------|---------|
| Obviously correct | ✅ | Standard DT iterator pattern fix |
| Fixes real bug | ✅ | Reference counting bug confirmed |
| Important issue | ✅ | Potential UAF/memory corruption |
| Small and contained | ✅ | Removes 4 lines in one function |
| No new features | ✅ | Pure bug fix |
| Tested | ✅ | Signed-off by hwmon maintainer |
### Risk Assessment
- **Risk**: Very low - the fix simply removes incorrect `of_node_put()`
calls
- **Scope**: Single function, single driver (emc2305 hwmon)
- **Backport complexity**: None - straightforward removal of lines
### Version Analysis
The buggy code was introduced in commit `2ed4db7a1d07b` which first
appeared in **v6.17-rc1**. This means:
- Only kernels 6.17+ have this bug
- Older stable trees (6.12.y, 6.6.y, 6.1.y, etc.) do **NOT** have this
code
### Concerns
- No explicit "Cc: stable@vger.kernel.org" tag
- No "Fixes:" tag pointing to the introducing commit
- However, the bug and fix are clearly documented and understood
### Verdict
This is a legitimate bug fix that corrects an obvious reference counting
error. The fix is:
- Trivially correct (well-known DT iterator pattern)
- Very low risk
- Fixes a real bug that can cause memory corruption
While the affected code only exists in 6.17+, this is still a valid
stable backport candidate for the 6.17.y stable branch and should be
backported to ensure stable users don't hit this reference counting bug.
**YES**
drivers/hwmon/emc2305.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/hwmon/emc2305.c b/drivers/hwmon/emc2305.c
index 84cb9b72cb6c2..ceae96c07ac45 100644
--- a/drivers/hwmon/emc2305.c
+++ b/drivers/hwmon/emc2305.c
@@ -593,10 +593,8 @@ static int emc2305_probe_childs_from_dt(struct device *dev)
for_each_child_of_node(dev->of_node, child) {
if (of_property_present(child, "reg")) {
ret = emc2305_of_parse_pwm_child(dev, child, data);
- if (ret) {
- of_node_put(child);
+ if (ret)
continue;
- }
count++;
}
}
--
2.51.0
next prev parent reply other threads:[~2025-12-12 2:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-12 2:08 [PATCH AUTOSEL 6.18-5.15] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Sasha Levin
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-5.10] nvme-fc: don't hold rport lock when putting ctrl Sasha Levin
2025-12-12 2:08 ` Sasha Levin [this message]
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-6.17] platform/x86: wmi-gamezone: Add Legion Go 2 Quirks Sasha Levin
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-6.17] hwmon: (emc2305) fix device node refcount leak in error path Sasha Levin
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-6.12] nvme-fabrics: add ENOKEY to no retry criteria for authentication failures Sasha Levin
2025-12-12 2:08 ` [PATCH AUTOSEL 6.18-6.6] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware Sasha Levin
2025-12-12 2:09 ` [PATCH AUTOSEL 6.18-6.6] MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251212020903.4153935-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=xiaopei01@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox