From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 052702737E3; Fri, 12 Dec 2025 02:09:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765505353; cv=none; b=pyA5/DemqXrpVi0vdnnNczH63lYQM+u0T95tzjtSShXOGNRoh2XqyFILrx+Z4O6fLLpzU0ePXOrLa0TihnknVNGZfmk5MuP7wmnHs3xZQzxKGyyttPu0/sH/XOD6yAc5/dzd7ZVbIdGVlf/VmclZSxGk7XQL0J89OvJSKtMTGl0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765505353; c=relaxed/simple; bh=ma7GRHnW2rCG8r0VcpM29zdyDjKXGfA3aainbPmyopQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=H0yrob2JS9MC/B7D84XavSf0LWTWm2blguhqMuHcpUjtRYQx4e0YWtTdOAQ/BMa2HKkMgU9OG1vdD9t99w5e38rV5c6qW4AdVETqbVHKH9Yz5VrZ2PlpiLWvHaFHLGlA8cps3MYxXl1kiLhU45vD8MUlr4CfqKD/RQ4wLz3voMM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=N4h37Gzp; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="N4h37Gzp" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6B927C4CEF7; Fri, 12 Dec 2025 02:09:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1765505352; bh=ma7GRHnW2rCG8r0VcpM29zdyDjKXGfA3aainbPmyopQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N4h37Gzpml7g1PBRXDRBdB7D8DRTedEmgQ1Rt0ulk/ESx8ZLuiIh/2YcmhdqLNOQ0 GJSphZlN2FfcDO99m1MKZzpvArisztCApZrN9ZRaL+3idPbmCwtdvh2sFM1IgRVA9e As3iMgbWSAFsHB/gOnLLGdFmDHbWoKlNp/DQXYql529Q/6AKba+yz+0WIHPMC4mmcp iTTQc9TYkBnyZGRxjmvewATI7dImwDAfh1RauOwGamp43FfKaBDKQIrDF0UP8/Rwr/ 84tm3Oj3WZJECZGAAQqV83A87dv5Yp5Wdsax/dkUpbYBguTx3vket7dbJiI0eaO+gT +O2WFYwi/dnJg== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Pei Xiao , Guenter Roeck , Sasha Levin , linux-hwmon@vger.kernel.org Subject: [PATCH AUTOSEL 6.18-6.17] hwmon: (emc2305) fix double put in emc2305_probe_childs_from_dt Date: Thu, 11 Dec 2025 21:08:55 -0500 Message-ID: <20251212020903.4153935-3-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251212020903.4153935-1-sashal@kernel.org> References: <20251212020903.4153935-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.18 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Pei Xiao [ Upstream commit 541dfb49dcb80c2509e030842de77adfb77820f5 ] ./drivers/hwmon/emc2305.c:597:4-15: ERROR: probable double put Device node iterators put the previous value of the index variable, so an explicit put causes a double put. Signed-off-by: Pei Xiao Link: https://lore.kernel.org/r/tencent_CD373F952BE48697C949E39CB5EB77841D06@qq.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin --- LLM Generated explanations, may be completely bogus: ## Analysis Summary ### What the Bug Is This commit fixes a **double reference count decrement (double put)** on a device_node structure in the `emc2305_probe_childs_from_dt()` function. **Technical explanation:** 1. The `for_each_child_of_node()` macro uses `of_get_next_child()` internally for iteration 2. As confirmed in the kernel documentation, `of_get_next_child()` "**Decrements the refcount of prev**" automatically when advancing to the next child 3. The buggy code explicitly calls `of_node_put(child)` before `continue` 4. When the loop continues, `of_get_next_child()` decrements the refcount again → **double put** **Impact:** Double put causes reference count underflow which can lead to: - Use-after-free vulnerabilities - Memory corruption - Kernel crashes/instability ### Stable Tree Criteria Evaluation | Criteria | Met? | Details | |----------|------|---------| | Obviously correct | ✅ | Standard DT iterator pattern fix | | Fixes real bug | ✅ | Reference counting bug confirmed | | Important issue | ✅ | Potential UAF/memory corruption | | Small and contained | ✅ | Removes 4 lines in one function | | No new features | ✅ | Pure bug fix | | Tested | ✅ | Signed-off by hwmon maintainer | ### Risk Assessment - **Risk**: Very low - the fix simply removes incorrect `of_node_put()` calls - **Scope**: Single function, single driver (emc2305 hwmon) - **Backport complexity**: None - straightforward removal of lines ### Version Analysis The buggy code was introduced in commit `2ed4db7a1d07b` which first appeared in **v6.17-rc1**. This means: - Only kernels 6.17+ have this bug - Older stable trees (6.12.y, 6.6.y, 6.1.y, etc.) do **NOT** have this code ### Concerns - No explicit "Cc: stable@vger.kernel.org" tag - No "Fixes:" tag pointing to the introducing commit - However, the bug and fix are clearly documented and understood ### Verdict This is a legitimate bug fix that corrects an obvious reference counting error. The fix is: - Trivially correct (well-known DT iterator pattern) - Very low risk - Fixes a real bug that can cause memory corruption While the affected code only exists in 6.17+, this is still a valid stable backport candidate for the 6.17.y stable branch and should be backported to ensure stable users don't hit this reference counting bug. **YES** drivers/hwmon/emc2305.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/hwmon/emc2305.c b/drivers/hwmon/emc2305.c index 84cb9b72cb6c2..ceae96c07ac45 100644 --- a/drivers/hwmon/emc2305.c +++ b/drivers/hwmon/emc2305.c @@ -593,10 +593,8 @@ static int emc2305_probe_childs_from_dt(struct device *dev) for_each_child_of_node(dev->of_node, child) { if (of_property_present(child, "reg")) { ret = emc2305_of_parse_pwm_child(dev, child, data); - if (ret) { - of_node_put(child); + if (ret) continue; - } count++; } } -- 2.51.0