This series fixes two issues in the fwnode child iteration logic when
a secondary fwnode is present.

The first issue is  a refcount imbalance in software_node_get_next_child().
When a software node is used as a secondary fwnode, the iteration code may
incorrectly decrement the refcount of child nodes that do not belong to the
software node hierarchy. This results in refcount underflow and possible
use-after-free.

The second issue is an infinite loop in fwnode_for_each_child_node(), caused
by improper handling of iteration state across primary and secondary fwnodes.
When iterating over children from both primary and secondary fwnodes, the code
may incorrectly resume iteration from the primary fwnode even when the current
child belongs to the secondary, leading to repeated traversal and a loop.

Both issues are triggered when mixing different fwnode types through the
secondary mechanism, and stem from incorrect assumptions about ownership
and traversal context of child nodes.

---
Changes in v3:
- remove software node patch 
- add a kunit test case suggested by Andy Shevchenko
- Link to v2: https://patch.msgid.link/20260603-fixes_fwnode_iteration-v2-0-0ae381f8b7b9@nxp.com

Changes in v2:
- use __free() to cleanup parent fwnode
- Link to v1: https://lore.kernel.org/r/20260525-fixes_fwnode_iteration-v1-0-a12903fb2919@nxp.com

To: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To: Daniel Scally <djrscally@gmail.com>
To: Heikki Krogerus <heikki.krogerus@linux.intel.com>
To: Sakari Ailus <sakari.ailus@linux.intel.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: "Rafael J. Wysocki" <rafael@kernel.org>
To: Danilo Krummrich <dakr@kernel.org>
Cc: linux-acpi@vger.kernel.org
Cc: driver-core@lists.linux.dev
Cc: linux-kernel@vger.kernel.org

---
Xu Yang (2):
      device property: fix infinite loop in fwnode_for_each_child_node()
      drivers: base: test: add test cases for fwnode_for_each_child_node()

 drivers/base/property.c                 |  18 ++++-
 drivers/base/test/Kconfig               |   1 +
 drivers/base/test/property-entry-test.c | 136 ++++++++++++++++++++++++++++++++
 3 files changed, 152 insertions(+), 3 deletions(-)
---
base-commit: b7bee4ca5688e30ca50fbc87b1b8f7eed7006c17
change-id: 20260525-fixes_fwnode_iteration-baf62d861305

Best regards,
--  
Xu Yang <xu.yang_2@nxp.com>

On Fri, Jun 05, 2026 at 06:31:16PM +0800, Xu Yang wrote:
> This series fixes two issues in the fwnode child iteration logic when
> a secondary fwnode is present.
> 
> The first issue is  a refcount imbalance in software_node_get_next_child().
> When a software node is used as a secondary fwnode, the iteration code may
> incorrectly decrement the refcount of child nodes that do not belong to the
> software node hierarchy. This results in refcount underflow and possible
> use-after-free.
> 
> The second issue is an infinite loop in fwnode_for_each_child_node(), caused
> by improper handling of iteration state across primary and secondary fwnodes.
> When iterating over children from both primary and secondary fwnodes, the code
> may incorrectly resume iteration from the primary fwnode even when the current
> child belongs to the secondary, leading to repeated traversal and a loop.
> 
> Both issues are triggered when mixing different fwnode types through the
> secondary mechanism, and stem from incorrect assumptions about ownership
> and traversal context of child nodes.

> ---
> Changes in v3:
> - remove software node patch 

Hmm... Maybe I was unclear. My question was to investigate the way to actually
move software node to use the swnode APIs (and not fwnode ones) and be on par
with what OF code does. This series does the opposite and adds a hack to the
next_child implementation.

> - add a kunit test case suggested by Andy Shevchenko

But thanks for the test case!

-- 
With Best Regards,
Andy Shevchenko

On Fri, Jun 05, 2026 at 06:07:41PM +0300, Andy Shevchenko wrote:
> On Fri, Jun 05, 2026 at 06:31:16PM +0800, Xu Yang wrote:
> > This series fixes two issues in the fwnode child iteration logic when
> > a secondary fwnode is present.
> > 
> > The first issue is  a refcount imbalance in software_node_get_next_child().
> > When a software node is used as a secondary fwnode, the iteration code may
> > incorrectly decrement the refcount of child nodes that do not belong to the
> > software node hierarchy. This results in refcount underflow and possible
> > use-after-free.
> > 
> > The second issue is an infinite loop in fwnode_for_each_child_node(), caused
> > by improper handling of iteration state across primary and secondary fwnodes.
> > When iterating over children from both primary and secondary fwnodes, the code
> > may incorrectly resume iteration from the primary fwnode even when the current
> > child belongs to the secondary, leading to repeated traversal and a loop.
> > 
> > Both issues are triggered when mixing different fwnode types through the
> > secondary mechanism, and stem from incorrect assumptions about ownership
> > and traversal context of child nodes.
> 
> > ---
> > Changes in v3:
> > - remove software node patch 
> 
> Hmm... Maybe I was unclear. My question was to investigate the way to actually
> move software node to use the swnode APIs (and not fwnode ones) and be on par
> with what OF code does. This series does the opposite and adds a hack to the
> next_child implementation.
> 
> > - add a kunit test case suggested by Andy Shevchenko
> 
> But thanks for the test case!

I'm preparing another patch (just a clean up) and I see that your test cases
indeed fail without any other patch being applied. Also noticed that the test
cases are not fully compliant with the requirement of the "primary"/"secondary"
fwnode flavours. But this doesn't affect the execution.

I will play more with this to understand the problem better.

-- 
With Best Regards,
Andy Shevchenko

On Fri, Jun 05, 2026 at 06:52:49PM +0300, Andy Shevchenko wrote:
> On Fri, Jun 05, 2026 at 06:07:41PM +0300, Andy Shevchenko wrote:
> > On Fri, Jun 05, 2026 at 06:31:16PM +0800, Xu Yang wrote:
> > > This series fixes two issues in the fwnode child iteration logic when
> > > a secondary fwnode is present.
> > > 
> > > The first issue is  a refcount imbalance in software_node_get_next_child().
> > > When a software node is used as a secondary fwnode, the iteration code may
> > > incorrectly decrement the refcount of child nodes that do not belong to the
> > > software node hierarchy. This results in refcount underflow and possible
> > > use-after-free.
> > > 
> > > The second issue is an infinite loop in fwnode_for_each_child_node(), caused
> > > by improper handling of iteration state across primary and secondary fwnodes.
> > > When iterating over children from both primary and secondary fwnodes, the code
> > > may incorrectly resume iteration from the primary fwnode even when the current
> > > child belongs to the secondary, leading to repeated traversal and a loop.
> > > 
> > > Both issues are triggered when mixing different fwnode types through the
> > > secondary mechanism, and stem from incorrect assumptions about ownership
> > > and traversal context of child nodes.
> > 
> > > ---
> > > Changes in v3:
> > > - remove software node patch 
> > 
> > Hmm... Maybe I was unclear. My question was to investigate the way to actually
> > move software node to use the swnode APIs (and not fwnode ones) and be on par
> > with what OF code does. This series does the opposite and adds a hack to the
> > next_child implementation.
> > 
> > > - add a kunit test case suggested by Andy Shevchenko
> > 
> > But thanks for the test case!
> 
> I'm preparing another patch (just a clean up) and I see that your test cases
> indeed fail without any other patch being applied. Also noticed that the test
> cases are not fully compliant with the requirement of the "primary"/"secondary"
> fwnode flavours. But this doesn't affect the execution.
> 
> I will play more with this to understand the problem better.

OK. Suggestions on the fwnode flavours would be appreciated :)

Thanks,
Xu Yang