Rob Herring <robh+dt@xxxxxxxxxx> writes: > On Mon, Dec 17, 2018 at 1:56 AM <frowand.list@xxxxxxxxx> wrote: >> >> From: Frank Rowand <frank.rowand@xxxxxxxx> >> >> Non-overlay dynamic devicetree node removal may leave the node in >> the phandle cache. Subsequent calls to of_find_node_by_phandle() >> will incorrectly find the stale entry. This bug exposed the foloowing >> phandle cache refcount bug. >> >> The refcount of phandle_cache entries is not incremented while in >> the cache, allowing use after free error after kfree() of the >> cached entry. >> >> Changes since v1: >> - make __of_free_phandle_cache() static >> - add WARN_ON(1) for unexpected condition in of_find_node_by_phandle() >> >> Frank Rowand (2): >> of: of_node_get()/of_node_put() nodes held in phandle cache >> of: __of_detach_node() - remove node from phandle cache > > I'll send this to Linus this week if I get a tested by. Otherwise, it > will go in for 4.21. I think it can wait to go into 4.21, it's not super critical and it's not a regression since 4.19. cheers
