From: Frank Rowand <frank.rowand@xxxxxxxx>
Non-overlay dynamic devicetree node removal may leave the node in
the phandle cache. Subsequent calls to of_find_node_by_phandle()
will incorrectly find the stale entry. This bug exposed the foloowing
phandle cache refcount bug.
The refcount of phandle_cache entries is not incremented while in
the cache, allowing use after free error after kfree() of the
cached entry.
Changes since v2:
- patch 2/2: add temporary variable np in __of_free_phandle_cache_entry()
to improve readability
- patch 2/2: explain reason for WARN_ON() in comment
- patch 2/2: add Fixes tag in patch comment
Changes since v1:
- make __of_free_phandle_cache() static
- add WARN_ON(1) for unexpected condition in of_find_node_by_phandle()
Frank Rowand (2):
of: of_node_get()/of_node_put() nodes held in phandle cache
of: __of_detach_node() - remove node from phandle cache
drivers/of/base.c | 101 ++++++++++++++++++++++++++++++++++++------------
drivers/of/dynamic.c | 3 ++
drivers/of/of_private.h | 4 ++
3 files changed, 83 insertions(+), 25 deletions(-)
--
Frank Rowand <frank.rowand@xxxxxxxx>
