powerpc/powermac: Fix reference count leak in i2c probe functions

[PATCH] powerpc/powermac: Fix reference count leak in i2c probe functions

Posted by Miaoqian Lin 3 months, 1 week ago

The of_find_node_by_name() function returns a device tree node with its
reference count incremented. The caller is responsible for calling
of_node_put() to release this reference when done.

Fixes: 730745a5c450 ("[PATCH] 1/5 powerpc: Rework PowerMac i2c part 1")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
---
 arch/powerpc/platforms/powermac/low_i2c.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/platforms/powermac/low_i2c.c b/arch/powerpc/platforms/powermac/low_i2c.c
index 02474e27df9b..f04dbb93bbfa 100644
--- a/arch/powerpc/platforms/powermac/low_i2c.c
+++ b/arch/powerpc/platforms/powermac/low_i2c.c
@@ -802,8 +802,10 @@ static void __init pmu_i2c_probe(void)
 	for (channel = 1; channel <= 2; channel++) {
 		sz = sizeof(struct pmac_i2c_bus) + sizeof(struct adb_request);
 		bus = kzalloc(sz, GFP_KERNEL);
-		if (bus == NULL)
+		if (bus == NULL) {
+			of_node_put(busnode);
 			return;
+		}
 
 		bus->controller = busnode;
 		bus->busnode = busnode;
@@ -928,6 +930,7 @@ static void __init smu_i2c_probe(void)
 		bus = kzalloc(sz, GFP_KERNEL);
 		if (bus == NULL) {
 			of_node_put(busnode);
+			of_node_put(controller);
 			return;
 		}
 
-- 
2.39.5 (Apple Git-154)

Re: [PATCH] powerpc/powermac: Fix reference count leak in i2c probe functions

Posted by Christophe Leroy 2 months, 3 weeks ago


Le 27/10/2025 à 09:45, Miaoqian Lin a écrit :
> [Vous ne recevez pas souvent de courriers de linmq006@gmail.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ]
> 
> The of_find_node_by_name() function returns a device tree node with its
> reference count incremented. The caller is responsible for calling
> of_node_put() to release this reference when done.
> 
> Fixes: 730745a5c450 ("[PATCH] 1/5 powerpc: Rework PowerMac i2c part 1")
> Cc: stable@vger.kernel.org
> Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
> ---
>   arch/powerpc/platforms/powermac/low_i2c.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/platforms/powermac/low_i2c.c b/arch/powerpc/platforms/powermac/low_i2c.c
> index 02474e27df9b..f04dbb93bbfa 100644
> --- a/arch/powerpc/platforms/powermac/low_i2c.c
> +++ b/arch/powerpc/platforms/powermac/low_i2c.c
> @@ -802,8 +802,10 @@ static void __init pmu_i2c_probe(void)
>          for (channel = 1; channel <= 2; channel++) {
>                  sz = sizeof(struct pmac_i2c_bus) + sizeof(struct adb_request);
>                  bus = kzalloc(sz, GFP_KERNEL);
> -               if (bus == NULL)
> +               if (bus == NULL) {
> +                       of_node_put(busnode);

We are in a loop, what happens when kzalloc() succeded in the first 
iteration but not in a further iteration ? In that case we have already 
registered some bus which references busnode as bus->busnode so it just 
can't but put.

>                          return;
> +               }
> 
>                  bus->controller = busnode;
>                  bus->busnode = busnode;
> @@ -928,6 +930,7 @@ static void __init smu_i2c_probe(void)
>                  bus = kzalloc(sz, GFP_KERNEL);
>                  if (bus == NULL) {
>                          of_node_put(busnode);
> +                       of_node_put(controller);
>                          return;
>                  }
> 
> --
> 2.39.5 (Apple Git-154)
> 
-- 
pw-bot: cr