[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAL_JsqL6qFDC5uC_0PgyM_8OVEwFq+o=gPk2=PRKBDTp9XTzOw@mail.gmail.com>
Date: Tue, 28 Feb 2023 15:01:29 -0600
From: Rob Herring <robh+dt@...nel.org>
To: Saravana Kannan <saravanak@...gle.com>
Cc: jjhiblot@...phandler.com, frowand.list@...il.com,
gregkh@...uxfoundation.org, devicetree@...r.kernel.org,
linux-kernel@...r.kernel.org, Marc Zyngier <maz@...nel.org>
Subject: Re: [PATCH] of: property: Add missing of_node_get() in parse_interrupt()
On Tue, Feb 28, 2023 at 1:07 PM Saravana Kannan <saravanak@...gle.com> wrote:
>
> On Tue, Feb 28, 2023 at 9:40 AM Jean-Jacques Hiblot
> <jjhiblot@...phandler.com> wrote:
> >
> > From: Jean Jacques Hiblot <jjhiblot@...phandler.com>
> >
> > As all the other parsers do, parse_interrupt() must increase the refcount
> > of the device_node. Otherwise the refcount is decremented every time
> > parse_interrupt() is called on this node, leading to a potential
> > use-after-free.
> >
> > This is a regression introduced by commit f265f06af194 ("of: property:
> > Fix fw_devlink handling of interrupts/interrupts-extended"). The reason is
> > that of_irq_parse_one() does not increase the refcount while the previously
> > used of_irq_find_parent() does.
>
> Thanks for catching the issue Jean!
>
> This feels like a bug in of_irq_parse_one() to me. It's returning a
> reference to a node without doing a of_node_get() on it.
>
> Rob, Marc, Do you agree?
I think you are right. If we look at the 'interrupts-extended' path,
it just calls of_parse_phandle_with_args() which does a get.
> Jean,
>
> If they agree, can you please fix of_irq_parse_one() and add a
> of_node_put() to existing callers (if they aren't already doing a
> put()).
I think it is not that simple. The correct thing for callers may also
be to hold the ref. We wouldn't want to just blindly do a put that is
clearly wrong just to keep current behavior. But not having the put
means we're leaking refcounts as calling the APIs originally had no
side effect. For example, IIRC, of_irq_get() is called again on each
deferred probe. There is no of_irq_put() because Linux IRQ numbers
aren't (or weren't?) refcounted.
Really, I'd like to get rid of exposing of_irq_parse_one() in the first place.
Rob
Powered by blists - more mailing lists