iommu/of: Fix device node reference leak in of_iommu_get_resv_regions

[PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv_regions

Posted by Miaoqian Lin 3 months, 1 week ago

In of_iommu_get_resv_regions(), of_find_node_by_phandle() returns a device
node with its reference count incremented. The caller is responsible for
releasing this reference when the node is no longer needed.

Add a call to of_node_put() to release the reference after the usage.

Found via static analysis.

Fixes: a5bf3cfce8cb ("iommu: Implement of_iommu_get_resv_regions()")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
---
 drivers/iommu/of_iommu.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/iommu/of_iommu.c b/drivers/iommu/of_iommu.c
index 6b989a62def2..02448da8ff90 100644
--- a/drivers/iommu/of_iommu.c
+++ b/drivers/iommu/of_iommu.c
@@ -256,6 +256,7 @@ void of_iommu_get_resv_regions(struct device *dev, struct list_head *list)
 				maps = of_translate_dma_region(np, maps, &iova, &length);
 				if (length == 0) {
 					dev_warn(dev, "Cannot reserve IOVA region of 0 size\n");
+					of_node_put(np);
 					continue;
 				}
 				type = iommu_resv_region_get_type(dev, &phys, iova, length);
@@ -265,6 +266,7 @@ void of_iommu_get_resv_regions(struct device *dev, struct list_head *list)
 				if (region)
 					list_add_tail(&region->list, list);
 			}
+			of_node_put(np);
 		}
 	}
 #endif
-- 
2.39.5 (Apple Git-154)

Re: [PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv_regions

Posted by Markus Elfring 3 months, 1 week ago

…
> Add a call to of_node_put() to release the reference after the usage.
…

How do you think about to use the attribute “__free(device_node)”?
https://elixir.bootlin.com/linux/v6.18-rc3/source/include/linux/of.h#L138
https://elixir.bootlin.com/linux/v6.18-rc3/source/drivers/iommu/of_iommu.c#L196-L271

Regards,
Markus

Re: [PATCH] iommu/of: Fix device node reference leak in of_iommu_get_resv_regions

Posted by Robin Murphy 3 months, 1 week ago

On 2025-10-28 6:36 am, Miaoqian Lin wrote:
> In of_iommu_get_resv_regions(), of_find_node_by_phandle() returns a device
> node with its reference count incremented. The caller is responsible for
> releasing this reference when the node is no longer needed.
> 
> Add a call to of_node_put() to release the reference after the usage.

Just put the reference immediately after getting it - this inner usage 
only happens if it's the same dev->of_node we're already using for the 
outer iteration, so we don't need to bother holding an extra reference 
as it can't suddenly disappear anyway (or even if it could, that's still 
not *this* code's problem...)

Thanks,
Robin.

> Found via static analysis.
> 
> Fixes: a5bf3cfce8cb ("iommu: Implement of_iommu_get_resv_regions()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
> ---
>   drivers/iommu/of_iommu.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/iommu/of_iommu.c b/drivers/iommu/of_iommu.c
> index 6b989a62def2..02448da8ff90 100644
> --- a/drivers/iommu/of_iommu.c
> +++ b/drivers/iommu/of_iommu.c
> @@ -256,6 +256,7 @@ void of_iommu_get_resv_regions(struct device *dev, struct list_head *list)
>   				maps = of_translate_dma_region(np, maps, &iova, &length);
>   				if (length == 0) {
>   					dev_warn(dev, "Cannot reserve IOVA region of 0 size\n");
> +					of_node_put(np);
>   					continue;
>   				}
>   				type = iommu_resv_region_get_type(dev, &phys, iova, length);
> @@ -265,6 +266,7 @@ void of_iommu_get_resv_regions(struct device *dev, struct list_head *list)
>   				if (region)
>   					list_add_tail(&region->list, list);
>   			}
> +			of_node_put(np);
>   		}
>   	}
>   #endif