On Sun, 12 Nov 2017 14:47:59 +0100
Johan Hovold <johan@xxxxxxxxxx> wrote:
> On Sun, Nov 12, 2017 at 12:32:08PM +0000, Marc Zyngier wrote:
> > On Sat, 11 Nov 2017 17:51:25 +0100
> > Johan Hovold <johan@xxxxxxxxxx> wrote:
> >
> > Johan,
> >
> > > Fix child-node lookup during initialisation, which ended up searching
> > > the whole device tree depth-first starting at the parent rather than
> > > just matching on its children.
> > >
> > > To make things worse, the parent giq node was prematurely freed, while
> >
> > s/giq/gic/.
> >
> > Care to point out where that node would be prematurely freed? I don't
> > see your patch addressing that either...
>
> of_find_node_by_name() is used for tree-wide searches and, as
> documented, drops a reference to its first argument, which in this case
> is the parent gic node.
Got it. Yes, that's definitely a bad idea.
>
> > > the ppi-partitions node was leaked.
> > >
> > > Fixes: e3825ba1af3a ("irqchip/gic-v3: Add support for partitioned PPIs")
> > > Cc: stable <stable@xxxxxxxxxxxxxxx> # 4.7
> >
> > Do you have an example of this causing any trouble in the wild? As far
> > as I remember, the whole of_node refcounting isn't really enforced, so
> > while this is definitely a bug, it wouldn't cause any harm anywhere.
>
> Node refcounting is enabled with CONFIG_OF_DYNAMIC (e.g. when overlay
> support is enabled) and getting the refcounting wrong can lead to all
> sorts of issues like use-after-free and crashes.
Ah, I completely forgot about this overlay madness. Fair enough, that's
tricky enough to spot that it is worth plugging ASAP.
I've queued this with a handful of other fixes for 4.15.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.