On Mon, Dec 17, 2018 at 1:56 AM <frowand.list@xxxxxxxxx> wrote: > > From: Frank Rowand <frank.rowand@xxxxxxxx> > > Non-overlay dynamic devicetree node removal may leave the node in > the phandle cache. Subsequent calls to of_find_node_by_phandle() > will incorrectly find the stale entry. This bug exposed the foloowing > phandle cache refcount bug. > > The refcount of phandle_cache entries is not incremented while in > the cache, allowing use after free error after kfree() of the > cached entry. > > Changes since v1: > - make __of_free_phandle_cache() static > - add WARN_ON(1) for unexpected condition in of_find_node_by_phandle() > > Frank Rowand (2): > of: of_node_get()/of_node_put() nodes held in phandle cache > of: __of_detach_node() - remove node from phandle cache I'll send this to Linus this week if I get a tested by. Otherwise, it will go in for 4.21. Rob
