The current implementation accesses the `child` fwnode handle outside of
device_for_each_child_node() without incrementing its refcount.
Add the missing call to `fwnode_handle_get(child)`.
The cleanup process where `child` is accessed is not right either
because a single call to `fwnode_handle_put()` is carried out in case of
an error, ignoring unasigned nodes at the point when the error happens.
Keep `child` inside of the first loop, and use the helper pointer that
receives references via `fwnode_handle_get()` to handle the child nodes
within the second loop. Keeping `child` inside the first node has also
the advantage that the scoped version of the loop can be used.
Fixes: ee4e80b2962e ("leds: pca995x: Add support for PCA995X chips")
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>
---
This issue has been found while reviewing the recently applied commit
3ec05e5feacd ("leds: pca995x: Use device_for_each_child_node() to access
device child nodes"), which required some conflict resolution to be
applied.
This driver makes use of the variable `child` outside the
_for_each_child_node() loop as it that variable contained the right
address at the point where `fwnode_handle_put(child)` is called, which
is not a valid assumption. `child` is assigned to led_fwnodes[reg]
without incrementing its refcount, and the cleanup is off as well
because even if that was correct, a single child node would be
de-allocated.
A similar fix was provided in the series where forementioned commit
was included for leds-bd2606mvv.c [1].
Link: https://lore.kernel.org/all/20240721-device_for_each_child_node-available-v2-3-f33748fd8b2d@xxxxxxxxx/ [1]
---
drivers/leds/leds-pca995x.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c
index 83bc9669544c..11c7bb69573e 100644
--- a/drivers/leds/leds-pca995x.c
+++ b/drivers/leds/leds-pca995x.c
@@ -120,12 +120,11 @@ static const struct regmap_config pca995x_regmap = {
static int pca995x_probe(struct i2c_client *client)
{
struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 };
- struct fwnode_handle *child;
struct device *dev = &client->dev;
const struct pca995x_chipdef *chipdef;
struct pca995x_chip *chip;
struct pca995x_led *led;
- int i, reg, ret;
+ int i, j, reg, ret;
chipdef = device_get_match_data(&client->dev);
@@ -143,7 +142,7 @@ static int pca995x_probe(struct i2c_client *client)
i2c_set_clientdata(client, chip);
- device_for_each_child_node(dev, child) {
+ device_for_each_child_node_scoped(dev, child) {
ret = fwnode_property_read_u32(child, "reg", ®);
if (ret)
return ret;
@@ -152,7 +151,7 @@ static int pca995x_probe(struct i2c_client *client)
return -EINVAL;
led = &chip->leds[reg];
- led_fwnodes[reg] = child;
+ led_fwnodes[reg] = fwnode_handle_get(child);
led->chip = chip;
led->led_no = reg;
led->ldev.brightness_set_blocking = pca995x_brightness_set;
@@ -171,7 +170,8 @@ static int pca995x_probe(struct i2c_client *client)
&chip->leds[i].ldev,
&init_data);
if (ret < 0) {
- fwnode_handle_put(child);
+ for (j = i; j < PCA995X_MAX_OUTPUTS; j++)
+ fwnode_handle_put(led_fwnodes[j]);
return dev_err_probe(dev, ret,
"Could not register LED %s\n",
chip->leds[i].ldev.name);
---
base-commit: 1e391b34f6aa043c7afa40a2103163a0ef06d179
change-id: 20240806-leds-pca995x-fix-fwnode-usage-f69d91e81b2c
Best regards,
--
Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>
