Commit eed89994 authored Jun 05, 2024 by Herve Codina Committed by openeuler-sync-bot Jul 01, 2024

of: dynamic: Synchronize of_changeset_destroy() with the devlink removals

stable inclusion
from stable-v5.10.215
commit 3127b2ee50c424a96eb3559fbb7b43cf0b111c7a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QG3P
CVE: CVE-2024-35879

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3127b2ee50c424a96eb3559fbb7b43cf0b111c7a



------------------------------------------------

commit 8917e7385346bd6584890ed362985c219fe6ae84 upstream.

In the following sequence:
  1) of_platform_depopulate()
  2) of_overlay_remove()

During the step 1, devices are destroyed and devlinks are removed.
During the step 2, OF nodes are destroyed but
__of_changeset_entry_destroy() can raise warnings related to missing
of_node_put():
  ERROR: memory leak, expected refcount 1 instead of 2 ...

Indeed, during the devlink removals performed at step 1, the removal
itself releasing the device (and the attached of_node) is done by a job
queued in a workqueue and so, it is done asynchronously with respect to
function calls.
When the warning is present, of_node_put() will be called but wrongly
too late from the workqueue job.

In order to be sure that any ongoing devlink removals are done before
the of_node destruction, synchronize the of_changeset_destroy() with the
devlink removals.

Fixes: 80dd33cf ("drivers: base: Fix device link removal")
Cc: stable@vger.kernel.org
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Saravana Kannan <saravanak@google.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Nuno Sa <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20240325152140.198219-3-herve.codina@bootlin.com


Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>
(cherry picked from commit 257f8b6f)

parent 473983f1

drivers/of/dynamic.c

+12 −0

Original line number	Diff line number	Diff line
		@@ -9,6 +9,7 @@

		#define pr_fmt(fmt) "OF: " fmt

		#include <linux/device.h>
		#include <linux/of.h>
		#include <linux/spinlock.h>
		#include <linux/slab.h>
		@@ -688,6 +689,17 @@ void of_changeset_destroy(struct of_changeset *ocs)
		{
		struct of_changeset_entry ce, cen;

		/*
		* When a device is deleted, the device links to/from it are also queued
		* for deletion. Until these device links are freed, the devices
		* themselves aren't freed. If the device being deleted is due to an
		* overlay change, this device might be holding a reference to a device
		* node that will be freed. So, wait until all already pending device
		* links are deleted before freeing a device node. This ensures we don't
		* free any device node that has a non-zero reference count.
		*/
		device_link_wait_removal();

		list_for_each_entry_safe_reverse(ce, cen, &ocs->entries, node)
		__of_changeset_entry_destroy(ce);
		}