On Jul 13 2016 or thereabouts, Andrew Duggan wrote:
> Calling of_find_node_by_name() assumes that the caller has incremented
> the refcount of the of_node being passed in. Currently, the caller is
> not incrementing the refcount of the of_node which results in the node
> being prematurely freed when of_find_node_by_name() calls of_node_put()
> on it. Instead use of_get_child_by_name() which does not call put on the
> of_node.
There are 2 other differences in using of_get_child_by_name() in place
of of_find_node_by_name(). One is that now we are following the OF tree
while the spinlock is not held. I think it's fine in our case. The
other difference is that the returned of_node has not been called
of_node_get() on it. I am not 100% sure, but I think it might be good to
call of_node_get() on the of node here, and in remove call
of_node_put(), just to be sure we don't use the of_node while it has
been freed.
Cheers,
Benjamin
>
> Signed-off-by: Andrew Duggan <aduggan@xxxxxxxxxxxxx>
> ---
> drivers/input/rmi4/rmi_bus.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/input/rmi4/rmi_bus.c b/drivers/input/rmi4/rmi_bus.c
> index b368b05..253df96 100644
> --- a/drivers/input/rmi4/rmi_bus.c
> +++ b/drivers/input/rmi4/rmi_bus.c
> @@ -157,11 +157,11 @@ static int rmi_function_match(struct device *dev, struct device_driver *drv)
> static void rmi_function_of_probe(struct rmi_function *fn)
> {
> char of_name[9];
> + struct device_node *node = fn->rmi_dev->xport->dev->of_node;
>
> snprintf(of_name, sizeof(of_name), "rmi4-f%02x",
> fn->fd.function_number);
> - fn->dev.of_node = of_find_node_by_name(
> - fn->rmi_dev->xport->dev->of_node, of_name);
> + fn->dev.of_node = of_get_child_by_name(node, of_name);
> }
> #else
> static inline void rmi_function_of_probe(struct rmi_function *fn)
> --
> 2.5.0
>
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
