From nobody Fri Dec 19 16:01:15 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96A37C04A95 for ; Sat, 22 Oct 2022 08:07:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232967AbiJVIHn (ORCPT ); Sat, 22 Oct 2022 04:07:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232493AbiJVIDW (ORCPT ); Sat, 22 Oct 2022 04:03:22 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 84F37152026; Sat, 22 Oct 2022 00:51:14 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id ADD69B82E18; Sat, 22 Oct 2022 07:50:55 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 23A95C433C1; Sat, 22 Oct 2022 07:50:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666425054; bh=c/IdW/mBpyQMgYTrCHuboL6q7PPhJdh3DFEoIvN0a1c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=y14zJNrrt4ebpDbaeuFYMrc3wGK51fGNnydqAwd6h4fOdEshlyq33yhiZoqCewxUo FvbgAKx5C00qOTHnha24zw/JZvl+h5J241MoZ1X/HQNgVbGxf6n7/jeIaSQdWLC+Gv tHztABVnWD80uM8xjqXMnjCXLFYt+YT3fdRi9bWY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Nuno=20S=C3=A1?= , Jonathan Cameron , Sasha Levin Subject: [PATCH 5.19 375/717] iio: inkern: only release the device node when done with it Date: Sat, 22 Oct 2022 09:24:14 +0200 Message-Id: <20221022072513.751398027@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nuno S=C3=A1 [ Upstream commit 79c3e84874c7d14f04ad58313b64955a0d2e9437 ] 'of_node_put()' can potentially release the memory pointed to by 'iiospec.np' which would leave us with an invalid pointer (and we would still pass it in 'of_xlate()'). Note that it is not guaranteed for the of_node lifespan to be attached to the device (to which is attached) lifespan so that there is (even though very unlikely) the possibility for the node to be freed while the device is still around. Thus, as there are indeed some of_xlate users which do access the node, a race is indeed possible. As such, we can only release the node after we are done with it. Fixes: 17d82b47a215d ("iio: Add OF support") Signed-off-by: Nuno S=C3=A1 Link: https://lore.kernel.org/r/20220715122903.332535-2-nuno.sa@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin --- drivers/iio/inkern.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c index df74765d33dc..9d87057794fc 100644 --- a/drivers/iio/inkern.c +++ b/drivers/iio/inkern.c @@ -165,9 +165,10 @@ static int __of_iio_channel_get(struct iio_channel *ch= annel, =20 idev =3D bus_find_device(&iio_bus_type, NULL, iiospec.np, iio_dev_node_match); - of_node_put(iiospec.np); - if (idev =3D=3D NULL) + if (idev =3D=3D NULL) { + of_node_put(iiospec.np); return -EPROBE_DEFER; + } =20 indio_dev =3D dev_to_iio_dev(idev); channel->indio_dev =3D indio_dev; @@ -175,6 +176,7 @@ static int __of_iio_channel_get(struct iio_channel *cha= nnel, index =3D indio_dev->info->of_xlate(indio_dev, &iiospec); else index =3D __of_iio_simple_xlate(indio_dev, &iiospec); + of_node_put(iiospec.np); if (index < 0) goto err_put; channel->channel =3D &indio_dev->channels[index]; --=20 2.35.1