From: Zijun Hu <quic_zijuhu@quicinc.com>

_of_phy_get() will directly return when suffers of_device_is_compatible()
error, but it forgets to decrease refcount of OF node @args.np before error
return, the refcount was increased by previous of_parse_phandle_with_args()
so causes the OF node's refcount leakage.

Fix by decreasing the refcount via of_node_put() before the error return.

Fixes: b7563e2796f8 ("phy: work around 'phys' references to usb-nop-xceiv devices")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
---
 drivers/phy/phy-core.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c
index 52ca590a58b9..3127c5d9c637 100644
--- a/drivers/phy/phy-core.c
+++ b/drivers/phy/phy-core.c
@@ -624,13 +624,15 @@ static struct phy *_of_phy_get(struct device_node *np, int index)
 	struct of_phandle_args args;
 
 	ret = of_parse_phandle_with_args(np, "phys", "#phy-cells",
-		index, &args);
+					 index, &args);
 	if (ret)
 		return ERR_PTR(-ENODEV);
 
 	/* This phy type handled by the usb-phy subsystem for now */
-	if (of_device_is_compatible(args.np, "usb-nop-xceiv"))
-		return ERR_PTR(-ENODEV);
+	if (of_device_is_compatible(args.np, "usb-nop-xceiv")) {
+		phy = ERR_PTR(-ENODEV);
+		goto out_put_node;
+	}
 
 	mutex_lock(&phy_provider_mutex);
 	phy_provider = of_phy_provider_lookup(args.np);
@@ -652,6 +654,7 @@ static struct phy *_of_phy_get(struct device_node *np, int index)
 
 out_unlock:
 	mutex_unlock(&phy_provider_mutex);
+out_put_node:
 	of_node_put(args.np);
 
 	return phy;

-- 
2.34.1

On Sat, Nov 02, 2024 at 11:53:46AM +0800, Zijun Hu wrote:
> From: Zijun Hu <quic_zijuhu@quicinc.com>
> 
> _of_phy_get() will directly return when suffers of_device_is_compatible()
> error, but it forgets to decrease refcount of OF node @args.np before error
> return, the refcount was increased by previous of_parse_phandle_with_args()
> so causes the OF node's refcount leakage.
> 
> Fix by decreasing the refcount via of_node_put() before the error return.
> 
> Fixes: b7563e2796f8 ("phy: work around 'phys' references to usb-nop-xceiv devices")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
> ---
>  drivers/phy/phy-core.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c
> index 52ca590a58b9..3127c5d9c637 100644
> --- a/drivers/phy/phy-core.c
> +++ b/drivers/phy/phy-core.c
> @@ -624,13 +624,15 @@ static struct phy *_of_phy_get(struct device_node *np, int index)
>  	struct of_phandle_args args;
>  
>  	ret = of_parse_phandle_with_args(np, "phys", "#phy-cells",
> -		index, &args);
> +					 index, &args);

This is an unrelated change which do not belong in this patch (and even
more so as it is a fix that is marked for backporting).

>  	if (ret)
>  		return ERR_PTR(-ENODEV);
>  
>  	/* This phy type handled by the usb-phy subsystem for now */
> -	if (of_device_is_compatible(args.np, "usb-nop-xceiv"))
> -		return ERR_PTR(-ENODEV);
> +	if (of_device_is_compatible(args.np, "usb-nop-xceiv")) {
> +		phy = ERR_PTR(-ENODEV);
> +		goto out_put_node;
> +	}
>  
>  	mutex_lock(&phy_provider_mutex);
>  	phy_provider = of_phy_provider_lookup(args.np);
> @@ -652,6 +654,7 @@ static struct phy *_of_phy_get(struct device_node *np, int index)
>  
>  out_unlock:
>  	mutex_unlock(&phy_provider_mutex);
> +out_put_node:
>  	of_node_put(args.np);
>  
>  	return phy;A

With the above fixed:

Reviewed-by: Johan Hovold <johan+linaro@kernel.org>

On 2024/11/6 01:20, Johan Hovold wrote:
> On Sat, Nov 02, 2024 at 11:53:46AM +0800, Zijun Hu wrote:
>> From: Zijun Hu <quic_zijuhu@quicinc.com>
>>
>> _of_phy_get() will directly return when suffers of_device_is_compatible()
>> error, but it forgets to decrease refcount of OF node @args.np before error
>> return, the refcount was increased by previous of_parse_phandle_with_args()
>> so causes the OF node's refcount leakage.
>>
>> Fix by decreasing the refcount via of_node_put() before the error return.
>>
>> Fixes: b7563e2796f8 ("phy: work around 'phys' references to usb-nop-xceiv devices")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
>> ---
>>  drivers/phy/phy-core.c | 9 ++++++---
>>  1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/phy/phy-core.c b/drivers/phy/phy-core.c
>> index 52ca590a58b9..3127c5d9c637 100644
>> --- a/drivers/phy/phy-core.c
>> +++ b/drivers/phy/phy-core.c
>> @@ -624,13 +624,15 @@ static struct phy *_of_phy_get(struct device_node *np, int index)
>>  	struct of_phandle_args args;
>>  
>>  	ret = of_parse_phandle_with_args(np, "phys", "#phy-cells",
>> -		index, &args);
>> +					 index, &args);
> 
> This is an unrelated change which do not belong in this patch (and even
> more so as it is a fix that is marked for backporting).
> 

make sense.
will remove it for next revision. (^^)

>>  	if (ret)
>>  		return ERR_PTR(-ENODEV);
>>  
>>  	/* This phy type handled by the usb-phy subsystem for now */
>> -	if (of_device_is_compatible(args.np, "usb-nop-xceiv"))
>> -		return ERR_PTR(-ENODEV);
>> +	if (of_device_is_compatible(args.np, "usb-nop-xceiv")) {
>> +		phy = ERR_PTR(-ENODEV);
>> +		goto out_put_node;
>> +	}
>>  
>>  	mutex_lock(&phy_provider_mutex);
>>  	phy_provider = of_phy_provider_lookup(args.np);
>> @@ -652,6 +654,7 @@ static struct phy *_of_phy_get(struct device_node *np, int index)
>>  
>>  out_unlock:
>>  	mutex_unlock(&phy_provider_mutex);
>> +out_put_node:
>>  	of_node_put(args.np);
>>  
>>  	return phy;A
> 
> With the above fixed:
> 
> Reviewed-by: Johan Hovold <johan+linaro@kernel.org>