From: Pei Xiao xiaopei01@kylinos.cn
[ Upstream commit 541dfb49dcb80c2509e030842de77adfb77820f5 ]
./drivers/hwmon/emc2305.c:597:4-15: ERROR: probable double put
Device node iterators put the previous value of the index variable, so an explicit put causes a double put.
Signed-off-by: Pei Xiao xiaopei01@kylinos.cn Link: https://lore.kernel.org/r/tencent_CD373F952BE48697C949E39CB5EB77841D06@qq.co... Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
## Analysis Summary
### What the Bug Is This commit fixes a **double reference count decrement (double put)** on a device_node structure in the `emc2305_probe_childs_from_dt()` function.
**Technical explanation:** 1. The `for_each_child_of_node()` macro uses `of_get_next_child()` internally for iteration 2. As confirmed in the kernel documentation, `of_get_next_child()` "**Decrements the refcount of prev**" automatically when advancing to the next child 3. The buggy code explicitly calls `of_node_put(child)` before `continue` 4. When the loop continues, `of_get_next_child()` decrements the refcount again → **double put**
**Impact:** Double put causes reference count underflow which can lead to: - Use-after-free vulnerabilities - Memory corruption - Kernel crashes/instability
### Stable Tree Criteria Evaluation
| Criteria | Met? | Details | |----------|------|---------| | Obviously correct | ✅ | Standard DT iterator pattern fix | | Fixes real bug | ✅ | Reference counting bug confirmed | | Important issue | ✅ | Potential UAF/memory corruption | | Small and contained | ✅ | Removes 4 lines in one function | | No new features | ✅ | Pure bug fix | | Tested | ✅ | Signed-off by hwmon maintainer |
### Risk Assessment - **Risk**: Very low - the fix simply removes incorrect `of_node_put()` calls - **Scope**: Single function, single driver (emc2305 hwmon) - **Backport complexity**: None - straightforward removal of lines
### Version Analysis The buggy code was introduced in commit `2ed4db7a1d07b` which first appeared in **v6.17-rc1**. This means: - Only kernels 6.17+ have this bug - Older stable trees (6.12.y, 6.6.y, 6.1.y, etc.) do **NOT** have this code
### Concerns - No explicit "Cc: stable@vger.kernel.org" tag - No "Fixes:" tag pointing to the introducing commit - However, the bug and fix are clearly documented and understood
### Verdict This is a legitimate bug fix that corrects an obvious reference counting error. The fix is: - Trivially correct (well-known DT iterator pattern) - Very low risk - Fixes a real bug that can cause memory corruption
While the affected code only exists in 6.17+, this is still a valid stable backport candidate for the 6.17.y stable branch and should be backported to ensure stable users don't hit this reference counting bug.
**YES**
drivers/hwmon/emc2305.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/hwmon/emc2305.c b/drivers/hwmon/emc2305.c index 84cb9b72cb6c2..ceae96c07ac45 100644 --- a/drivers/hwmon/emc2305.c +++ b/drivers/hwmon/emc2305.c @@ -593,10 +593,8 @@ static int emc2305_probe_childs_from_dt(struct device *dev) for_each_child_of_node(dev->of_node, child) { if (of_property_present(child, "reg")) { ret = emc2305_of_parse_pwm_child(dev, child, data); - if (ret) { - of_node_put(child); + if (ret) continue; - } count++; } }