drivers/base/property.c | 18 +++++++++++++++--- drivers/base/swnode.c | 14 +++++++------- 2 files changed, 22 insertions(+), 10 deletions(-)
This series fixes two issues in the fwnode child iteration logic when
a secondary fwnode is present.
The first patch addresses a refcount imbalance in
software_node_get_next_child(). When a software node is used as a
secondary fwnode, the iteration code may incorrectly decrement the
refcount of child nodes that do not belong to the software node
hierarchy. This results in refcount underflow and possible use-after-free.
The second patch fixes an infinite loop in
fwnode_for_each_child_node(), caused by improper handling of iteration
state across primary and secondary fwnodes. When iterating over children
from both primary and secondary fwnodes, the code may incorrectly
resume iteration from the primary fwnode even when the current child
belongs to the secondary, leading to repeated traversal and a loop.
Both issues are triggered when mixing different fwnode types through the
secondary mechanism, and stem from incorrect assumptions about ownership
and traversal context of child nodes.
---
Changes in v2:
- use __free() to cleanup parent fwnode
- Link to v1: https://lore.kernel.org/r/20260525-fixes_fwnode_iteration-v1-0-a12903fb2919@nxp.com
---
Xu Yang (2):
software node: fix refcount leak in software_node_get_next_child()
device property: fix infinite loop in fwnode_for_each_child_node()
drivers/base/property.c | 18 +++++++++++++++---
drivers/base/swnode.c | 14 +++++++-------
2 files changed, 22 insertions(+), 10 deletions(-)
---
base-commit: b7bee4ca5688e30ca50fbc87b1b8f7eed7006c17
change-id: 20260525-fixes_fwnode_iteration-baf62d861305
Best regards,
--
Xu Yang <xu.yang_2@nxp.com>
On Wed, Jun 03, 2026 at 04:44:30PM +0800, Xu Yang wrote: > This series fixes two issues in the fwnode child iteration logic when > a secondary fwnode is present. > > The first patch addresses a refcount imbalance in > software_node_get_next_child(). When a software node is used as a > secondary fwnode, the iteration code may incorrectly decrement the > refcount of child nodes that do not belong to the software node > hierarchy. This results in refcount underflow and possible use-after-free. > > The second patch fixes an infinite loop in > fwnode_for_each_child_node(), caused by improper handling of iteration > state across primary and secondary fwnodes. When iterating over children > from both primary and secondary fwnodes, the code may incorrectly > resume iteration from the primary fwnode even when the current child > belongs to the secondary, leading to repeated traversal and a loop. > > Both issues are triggered when mixing different fwnode types through the > secondary mechanism, and stem from incorrect assumptions about ownership > and traversal context of child nodes. Please, Cc Bart who is heavily working on software nodes these days. -- With Best Regards, Andy Shevchenko
On Wed, Jun 03, 2026 at 12:43:06PM +0300, Andy Shevchenko wrote: > On Wed, Jun 03, 2026 at 04:44:30PM +0800, Xu Yang wrote: > > This series fixes two issues in the fwnode child iteration logic when > > a secondary fwnode is present. > > > > The first patch addresses a refcount imbalance in > > software_node_get_next_child(). When a software node is used as a > > secondary fwnode, the iteration code may incorrectly decrement the > > refcount of child nodes that do not belong to the software node > > hierarchy. This results in refcount underflow and possible use-after-free. > > > > The second patch fixes an infinite loop in > > fwnode_for_each_child_node(), caused by improper handling of iteration > > state across primary and secondary fwnodes. When iterating over children > > from both primary and secondary fwnodes, the code may incorrectly > > resume iteration from the primary fwnode even when the current child > > belongs to the secondary, leading to repeated traversal and a loop. > > > > Both issues are triggered when mixing different fwnode types through the > > secondary mechanism, and stem from incorrect assumptions about ownership > > and traversal context of child nodes. > > Please, Cc Bart who is heavily working on software nodes these days. Ah, the Cc list is generated by B4. Will Cc Bart in the future. Thanks, Xu Yang
On Thu, 4 Jun 2026 12:58:41 +0200, Xu Yang <xu.yang_2@oss.nxp.com> said: > On Wed, Jun 03, 2026 at 12:43:06PM +0300, Andy Shevchenko wrote: >> On Wed, Jun 03, 2026 at 04:44:30PM +0800, Xu Yang wrote: >> > This series fixes two issues in the fwnode child iteration logic when >> > a secondary fwnode is present. >> > >> > The first patch addresses a refcount imbalance in >> > software_node_get_next_child(). When a software node is used as a >> > secondary fwnode, the iteration code may incorrectly decrement the >> > refcount of child nodes that do not belong to the software node >> > hierarchy. This results in refcount underflow and possible use-after-free. >> > >> > The second patch fixes an infinite loop in >> > fwnode_for_each_child_node(), caused by improper handling of iteration >> > state across primary and secondary fwnodes. When iterating over children >> > from both primary and secondary fwnodes, the code may incorrectly >> > resume iteration from the primary fwnode even when the current child >> > belongs to the secondary, leading to repeated traversal and a loop. >> > >> > Both issues are triggered when mixing different fwnode types through the >> > secondary mechanism, and stem from incorrect assumptions about ownership >> > and traversal context of child nodes. >> >> Please, Cc Bart who is heavily working on software nodes these days. > Should I propose myself as reviewer? We can't demand people to Cc random addresses otherwise. Bart
On Thu, Jun 04, 2026 at 06:38:50AM -0700, Bartosz Golaszewski wrote: > On Thu, 4 Jun 2026 12:58:41 +0200, Xu Yang <xu.yang_2@oss.nxp.com> said: > > On Wed, Jun 03, 2026 at 12:43:06PM +0300, Andy Shevchenko wrote: > >> On Wed, Jun 03, 2026 at 04:44:30PM +0800, Xu Yang wrote: > >> > This series fixes two issues in the fwnode child iteration logic when > >> > a secondary fwnode is present. > >> > > >> > The first patch addresses a refcount imbalance in > >> > software_node_get_next_child(). When a software node is used as a > >> > secondary fwnode, the iteration code may incorrectly decrement the > >> > refcount of child nodes that do not belong to the software node > >> > hierarchy. This results in refcount underflow and possible use-after-free. > >> > > >> > The second patch fixes an infinite loop in > >> > fwnode_for_each_child_node(), caused by improper handling of iteration > >> > state across primary and secondary fwnodes. When iterating over children > >> > from both primary and secondary fwnodes, the code may incorrectly > >> > resume iteration from the primary fwnode even when the current child > >> > belongs to the secondary, leading to repeated traversal and a loop. > >> > > >> > Both issues are triggered when mixing different fwnode types through the > >> > secondary mechanism, and stem from incorrect assumptions about ownership > >> > and traversal context of child nodes. > >> > >> Please, Cc Bart who is heavily working on software nodes these days. > > Should I propose myself as reviewer? We can't demand people to Cc random > addresses otherwise. If you are interested, I welcome this decision, although I don't know what maintainers and other peers (current reviewers) think of it. Send a patch and prepare for any type of responses :-) Mine will be positive for sure. -- With Best Regards, Andy Shevchenko
© 2016 - 2026 Red Hat, Inc.