On Thu, Dec 12, 2019 at 7:05 AM Sebastian Andrzej Siewior
<bigeasy@xxxxxxxxxxxxx> wrote:
>
> On 2019-12-11 17:48:54 [-0600], Rob Herring wrote:
> > > - if (phandle_cache) {
> > > - if (phandle_cache[masked_handle] &&
> > > - handle == phandle_cache[masked_handle]->phandle)
> > > - np = phandle_cache[masked_handle];
> > > - if (np && of_node_check_flag(np, OF_DETACHED)) {
> > > - WARN_ON(1); /* did not uncache np on node removal */
> > > - of_node_put(np);
> > > - phandle_cache[masked_handle] = NULL;
> > > - np = NULL;
> > > - }
> > > + if (phandle_cache[handle_hash] &&
> > > + handle == phandle_cache[handle_hash]->phandle)
> > > + np = phandle_cache[handle_hash];
> > > + if (np && of_node_check_flag(np, OF_DETACHED)) {
> > > + WARN_ON(1); /* did not uncache np on node removal */
> >
> > BTW, I don't think this check is even valid. If we failed to detach
> > and remove the node from the cache, then we could be accessing np
> > after freeing it.
>
> this is kmalloc()ed memory which is always valid. If the memory is
> already re-used then
> handle == phandle_cache[handle_hash]->phandle
>
> will fail (the check, not the memory access itself).
There's a 1 in 2^32 chance it won't.
> If the check
> remains valid then you can hope for the OF_DETACHED flag to trigger the
> warning.
Keyword is hope.
To look at it another way. Do we need this check? It is in the "fast
path". There's a single location where we set OF_DETACHED and the
cache entry is removed at the same time. Also, if we do free the
node's memory, it also checks for OF_DETACHED. Previously, a free
wouldn't happen because we incremented the ref count on nodes in the
cache.
Rob
