On 12/14/18 2:47 PM, Frank Rowand wrote: > On 12/14/18 9:15 AM, Rob Herring wrote: >> On Fri, Dec 14, 2018 at 12:43 AM <frowand.list@xxxxxxxxx> wrote: >>> >>> From: Frank Rowand <frank.rowand@xxxxxxxx> >>> >>> The phandle cache contains struct device_node pointers. The refcount >>> of the pointers was not incremented while in the cache, allowing use >>> after free error after kfree() of the node. Add the proper increment >>> and decrement of the use count. >> >> Since we pre-populate the cache at boot, all the nodes will have a ref >> count and will never be freed unless we happen to repopulate the whole >> cache. That doesn't seem ideal. The node pointer is not "in use" just >> because it is in the cache. I forgot to reply to this sentence. The node pointers are "in use" because of_find_node_by_phandle() will use the pointers to access the phandle field. This is a use after free bug if the node has been kfree()'ed. >> >> Rob >> > > This patch also adds of_node_put() so that the refcount will go to zero > when the node is removed as part of an overlay remove, if the node was > added by an overlay. > > Patch 2/2 adds the free cache entry call to __of_detach_node(), so the > refcount will go to zero when the node is removed for dynamic use cases > other than overlays. (For overlays, all nodes are instead removed from > the cache before __of_detach_node() is called.) > > -Frank >
