diff mbox series

[4/9] i2c: qcom-cci: don't put a device tree node before i2c_add_adapter()

Message ID 20220203164703.1712006-1-vladimir.zapolskiy@linaro.org
State Accepted
Commit 02a4a69667a2ad32f3b52ca906f19628fbdd8a01
Headers show
Series i2c: qcom-cci: fixes and updates | expand

Commit Message

Vladimir Zapolskiy Feb. 3, 2022, 4:47 p.m. UTC
There is a minor chance for a race, if a pointer to an i2c-bus subnode
is stored and then reused after releasing its reference, and it would
be sufficient to get one more reference under a loop over children
subnodes.

Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
---
 drivers/i2c/busses/i2c-qcom-cci.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

Comments

Robert Foss Feb. 4, 2022, 10:17 a.m. UTC | #1
On Thu, 3 Feb 2022 at 17:47, Vladimir Zapolskiy
<vladimir.zapolskiy@linaro.org> wrote:
>
> There is a minor chance for a race, if a pointer to an i2c-bus subnode
> is stored and then reused after releasing its reference, and it would
> be sufficient to get one more reference under a loop over children
> subnodes.
>
> Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
> Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
> ---
>  drivers/i2c/busses/i2c-qcom-cci.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/i2c/busses/i2c-qcom-cci.c b/drivers/i2c/busses/i2c-qcom-cci.c
> index fd4260d18577..cf54f1cb4c57 100644
> --- a/drivers/i2c/busses/i2c-qcom-cci.c
> +++ b/drivers/i2c/busses/i2c-qcom-cci.c
> @@ -558,7 +558,7 @@ static int cci_probe(struct platform_device *pdev)
>                 cci->master[idx].adap.quirks = &cci->data->quirks;
>                 cci->master[idx].adap.algo = &cci_algo;
>                 cci->master[idx].adap.dev.parent = dev;
> -               cci->master[idx].adap.dev.of_node = child;
> +               cci->master[idx].adap.dev.of_node = of_node_get(child);
>                 cci->master[idx].master = idx;
>                 cci->master[idx].cci = cci;
>
> @@ -643,8 +643,10 @@ static int cci_probe(struct platform_device *pdev)
>                         continue;
>
>                 ret = i2c_add_adapter(&cci->master[i].adap);
> -               if (ret < 0)
> +               if (ret < 0) {
> +                       of_node_put(cci->master[i].adap.dev.of_node);
>                         goto error_i2c;
> +               }
>         }
>
>         pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC);
> @@ -656,8 +658,10 @@ static int cci_probe(struct platform_device *pdev)
>
>  error_i2c:
>         for (--i ; i >= 0; i--) {
> -               if (cci->master[i].cci)
> +               if (cci->master[i].cci) {
>                         i2c_del_adapter(&cci->master[i].adap);
> +                       of_node_put(cci->master[i].adap.dev.of_node);
> +               }
>         }
>  error:
>         disable_irq(cci->irq);
> @@ -673,8 +677,10 @@ static int cci_remove(struct platform_device *pdev)
>         int i;
>
>         for (i = 0; i < cci->data->num_masters; i++) {
> -               if (cci->master[i].cci)
> +               if (cci->master[i].cci) {
>                         i2c_del_adapter(&cci->master[i].adap);
> +                       of_node_put(cci->master[i].adap.dev.of_node);
> +               }
>                 cci_halt(cci, i);
>         }
>
> --
> 2.33.0
>

Reviewed-by: Robert Foss <robert.foss@linaro.org>
Bjorn Andersson Feb. 4, 2022, 6:11 p.m. UTC | #2
On Thu 03 Feb 08:47 PST 2022, Vladimir Zapolskiy wrote:

> There is a minor chance for a race, if a pointer to an i2c-bus subnode
> is stored and then reused after releasing its reference, and it would
> be sufficient to get one more reference under a loop over children
> subnodes.
> 
> Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
> Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>

Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>

Regards,
Bjorn

> ---
>  drivers/i2c/busses/i2c-qcom-cci.c | 14 ++++++++++----
>  1 file changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/i2c/busses/i2c-qcom-cci.c b/drivers/i2c/busses/i2c-qcom-cci.c
> index fd4260d18577..cf54f1cb4c57 100644
> --- a/drivers/i2c/busses/i2c-qcom-cci.c
> +++ b/drivers/i2c/busses/i2c-qcom-cci.c
> @@ -558,7 +558,7 @@ static int cci_probe(struct platform_device *pdev)
>  		cci->master[idx].adap.quirks = &cci->data->quirks;
>  		cci->master[idx].adap.algo = &cci_algo;
>  		cci->master[idx].adap.dev.parent = dev;
> -		cci->master[idx].adap.dev.of_node = child;
> +		cci->master[idx].adap.dev.of_node = of_node_get(child);
>  		cci->master[idx].master = idx;
>  		cci->master[idx].cci = cci;
>  
> @@ -643,8 +643,10 @@ static int cci_probe(struct platform_device *pdev)
>  			continue;
>  
>  		ret = i2c_add_adapter(&cci->master[i].adap);
> -		if (ret < 0)
> +		if (ret < 0) {
> +			of_node_put(cci->master[i].adap.dev.of_node);
>  			goto error_i2c;
> +		}
>  	}
>  
>  	pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC);
> @@ -656,8 +658,10 @@ static int cci_probe(struct platform_device *pdev)
>  
>  error_i2c:
>  	for (--i ; i >= 0; i--) {
> -		if (cci->master[i].cci)
> +		if (cci->master[i].cci) {
>  			i2c_del_adapter(&cci->master[i].adap);
> +			of_node_put(cci->master[i].adap.dev.of_node);
> +		}
>  	}
>  error:
>  	disable_irq(cci->irq);
> @@ -673,8 +677,10 @@ static int cci_remove(struct platform_device *pdev)
>  	int i;
>  
>  	for (i = 0; i < cci->data->num_masters; i++) {
> -		if (cci->master[i].cci)
> +		if (cci->master[i].cci) {
>  			i2c_del_adapter(&cci->master[i].adap);
> +			of_node_put(cci->master[i].adap.dev.of_node);
> +		}
>  		cci_halt(cci, i);
>  	}
>  
> -- 
> 2.33.0
>
Wolfram Sang Feb. 11, 2022, 5:44 p.m. UTC | #3
On Thu, Feb 03, 2022 at 06:47:03PM +0200, Vladimir Zapolskiy wrote:
> There is a minor chance for a race, if a pointer to an i2c-bus subnode
> is stored and then reused after releasing its reference, and it would
> be sufficient to get one more reference under a loop over children
> subnodes.
> 
> Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
> Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>

Applied to for-current, thanks!
diff mbox series

Patch

diff --git a/drivers/i2c/busses/i2c-qcom-cci.c b/drivers/i2c/busses/i2c-qcom-cci.c
index fd4260d18577..cf54f1cb4c57 100644
--- a/drivers/i2c/busses/i2c-qcom-cci.c
+++ b/drivers/i2c/busses/i2c-qcom-cci.c
@@ -558,7 +558,7 @@  static int cci_probe(struct platform_device *pdev)
 		cci->master[idx].adap.quirks = &cci->data->quirks;
 		cci->master[idx].adap.algo = &cci_algo;
 		cci->master[idx].adap.dev.parent = dev;
-		cci->master[idx].adap.dev.of_node = child;
+		cci->master[idx].adap.dev.of_node = of_node_get(child);
 		cci->master[idx].master = idx;
 		cci->master[idx].cci = cci;
 
@@ -643,8 +643,10 @@  static int cci_probe(struct platform_device *pdev)
 			continue;
 
 		ret = i2c_add_adapter(&cci->master[i].adap);
-		if (ret < 0)
+		if (ret < 0) {
+			of_node_put(cci->master[i].adap.dev.of_node);
 			goto error_i2c;
+		}
 	}
 
 	pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC);
@@ -656,8 +658,10 @@  static int cci_probe(struct platform_device *pdev)
 
 error_i2c:
 	for (--i ; i >= 0; i--) {
-		if (cci->master[i].cci)
+		if (cci->master[i].cci) {
 			i2c_del_adapter(&cci->master[i].adap);
+			of_node_put(cci->master[i].adap.dev.of_node);
+		}
 	}
 error:
 	disable_irq(cci->irq);
@@ -673,8 +677,10 @@  static int cci_remove(struct platform_device *pdev)
 	int i;
 
 	for (i = 0; i < cci->data->num_masters; i++) {
-		if (cci->master[i].cci)
+		if (cci->master[i].cci) {
 			i2c_del_adapter(&cci->master[i].adap);
+			of_node_put(cci->master[i].adap.dev.of_node);
+		}
 		cci_halt(cci, i);
 	}