[PATCH v7] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

2019-07-16 Thread Wen Yang
The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f6 ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang 
Cc: "Rafael J. Wysocki" 
Cc: Viresh Kumar 
Cc: Michael Ellerman 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
---
v7: adapt to commit ("cpufreq: Make cpufreq_generic_init() return void")
v6: keep the blank line and fix warning: label 'out_unmap_sdcpwr' defined but 
not used.
v5: put together the code to get, use, and release cpu device_node.
v4: restore the blank line.
v3: fix a leaked reference.
v2: clean up the code according to the advice of viresh.

 drivers/cpufreq/pasemi-cpufreq.c | 23 +--
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 93f39a1..c66f566 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -131,10 +131,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
int err = -ENODEV;
 
cpu = of_get_cpu_node(policy->cpu, NULL);
+   if (!cpu)
+   goto out;
 
+   max_freqp = of_get_property(cpu, "clock-frequency", NULL);
of_node_put(cpu);
-   if (!cpu)
+   if (!max_freqp) {
+   err = -EINVAL;
goto out;
+   }
+
+   /* we need the freq in kHz */
+   max_freq = *max_freqp / 1000;
 
dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
if (!dn)
@@ -171,16 +179,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
}
 
pr_debug("init cpufreq on CPU %d\n", policy->cpu);
-
-   max_freqp = of_get_property(cpu, "clock-frequency", NULL);
-   if (!max_freqp) {
-   err = -EINVAL;
-   goto out_unmap_sdcpwr;
-   }
-
-   /* we need the freq in kHz */
-   max_freq = *max_freqp / 1000;
-
pr_debug("max clock-frequency is at %u kHz\n", max_freq);
pr_debug("initializing frequency table\n");
 
@@ -199,9 +197,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
return 0;
 
-out_unmap_sdcpwr:
-   iounmap(sdcpwr_mapbase);
-
 out_unmap_sdcasr:
iounmap(sdcasr_mapbase);
 out:
-- 
2.9.5



[PATCH v6] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

2019-07-11 Thread Wen Yang
The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f6 ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang 
Cc: "Rafael J. Wysocki" 
Cc: Viresh Kumar 
Cc: Michael Ellerman 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
---
v6: keep the blank line and fix warning: label 'out_unmap_sdcpwr' defined but 
not used.
v5: put together the code to get, use, and release cpu device_node.
v4: restore the blank line.
v3: fix a leaked reference.
v2: clean up the code according to the advice of viresh.

 drivers/cpufreq/pasemi-cpufreq.c | 26 ++
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4ab..7d557f9 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -131,10 +131,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
int err = -ENODEV;
 
cpu = of_get_cpu_node(policy->cpu, NULL);
+   if (!cpu)
+   goto out;
 
+   max_freqp = of_get_property(cpu, "clock-frequency", NULL);
of_node_put(cpu);
-   if (!cpu)
+   if (!max_freqp) {
+   err = -EINVAL;
goto out;
+   }
+
+   /* we need the freq in kHz */
+   max_freq = *max_freqp / 1000;
 
dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
if (!dn)
@@ -171,16 +179,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
}
 
pr_debug("init cpufreq on CPU %d\n", policy->cpu);
-
-   max_freqp = of_get_property(cpu, "clock-frequency", NULL);
-   if (!max_freqp) {
-   err = -EINVAL;
-   goto out_unmap_sdcpwr;
-   }
-
-   /* we need the freq in kHz */
-   max_freq = *max_freqp / 1000;
-
pr_debug("max clock-frequency is at %u kHz\n", max_freq);
pr_debug("initializing frequency table\n");
 
@@ -196,7 +194,11 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
policy->cur = pas_freqs[cur_astate].frequency;
ppc_proc_freq = policy->cur * 1000ul;
 
-   return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
+   err = cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
+   if (err)
+   goto out_unmap_sdcpwr;
+
+   return 0;
 
 out_unmap_sdcpwr:
iounmap(sdcpwr_mapbase);
-- 
2.9.5



[PATCH 2/2] powerpc/83xx: cleanup error paths in mpc831x_usb_cfg()

2019-07-09 Thread Wen Yang
Rename the jump labels according to the cleanup they perform,
and move reference handling to simplify cleanup.

Signed-off-by: Wen Yang 
Cc: Scott Wood 
Cc: Kumar Gala 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: Markus Elfring 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/platforms/83xx/usb.c | 13 ++---
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/arch/powerpc/platforms/83xx/usb.c 
b/arch/powerpc/platforms/83xx/usb.c
index 19dcef5..56b36fa 100644
--- a/arch/powerpc/platforms/83xx/usb.c
+++ b/arch/powerpc/platforms/83xx/usb.c
@@ -160,11 +160,9 @@ int mpc831x_usb_cfg(void)
 
/* Map USB SOC space */
ret = of_address_to_resource(np, 0, );
-   if (ret) {
-   of_node_put(immr_node);
-   of_node_put(np);
-   return ret;
-   }
+   if (ret)
+   goto out_put_node;
+
usb_regs = ioremap(res.start, resource_size());
 
/* Using on-chip PHY */
@@ -173,7 +171,7 @@ int mpc831x_usb_cfg(void)
u32 refsel;
 
if (of_device_is_compatible(immr_node, "fsl,mpc8308-immr"))
-   goto out;
+   goto out_unmap;
 
if (of_device_is_compatible(immr_node, "fsl,mpc8315-immr"))
refsel = CONTROL_REFSEL_24MHZ;
@@ -200,8 +198,9 @@ int mpc831x_usb_cfg(void)
ret = -EINVAL;
}
 
-out:
+out_unmap:
iounmap(usb_regs);
+out_put_node:
of_node_put(immr_node);
of_node_put(np);
return ret;
-- 
2.9.5



[PATCH 1/2] powerpc/83xx: fix use-after-free in mpc831x_usb_cfg()

2019-07-09 Thread Wen Yang
The immr_node variable is still being used after the of_node_put() call,
which may result in use-after-free.
Fix this issue by calling of_node_put() after the last usage.

Fixes: fd066e850351 ("powerpc/mpc8308: fix USB DR controller initialization")
Signed-off-by: Wen Yang 
Cc: Scott Wood 
Cc: Kumar Gala 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: Markus Elfring 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/platforms/83xx/usb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/platforms/83xx/usb.c 
b/arch/powerpc/platforms/83xx/usb.c
index 3d247d7..19dcef5 100644
--- a/arch/powerpc/platforms/83xx/usb.c
+++ b/arch/powerpc/platforms/83xx/usb.c
@@ -158,11 +158,10 @@ int mpc831x_usb_cfg(void)
 
iounmap(immap);
 
-   of_node_put(immr_node);
-
/* Map USB SOC space */
ret = of_address_to_resource(np, 0, );
if (ret) {
+   of_node_put(immr_node);
of_node_put(np);
return ret;
}
@@ -203,6 +202,7 @@ int mpc831x_usb_cfg(void)
 
 out:
iounmap(usb_regs);
+   of_node_put(immr_node);
of_node_put(np);
return ret;
 }
-- 
2.9.5



[PATCH v5] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

2019-07-09 Thread Wen Yang
The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang 
Cc: "Rafael J. Wysocki" 
Cc: Viresh Kumar 
Cc: Michael Ellerman 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
---
v5: put together the code to get, use, and release cpu device_node.
v4: restore the blank line.
v3: fix a leaked reference.
v2: clean up the code according to the advice of viresh.

 drivers/cpufreq/pasemi-cpufreq.c | 21 +
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4ab..1f0beb7 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -131,10 +131,17 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
int err = -ENODEV;
 
cpu = of_get_cpu_node(policy->cpu, NULL);
-
-   of_node_put(cpu);
if (!cpu)
goto out;
+   max_freqp = of_get_property(cpu, "clock-frequency", NULL);
+   of_node_put(cpu);
+   if (!max_freqp) {
+   err = -EINVAL;
+   goto out;
+   }
+
+   /* we need the freq in kHz */
+   max_freq = *max_freqp / 1000;
 
dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
if (!dn)
@@ -171,16 +178,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
}
 
pr_debug("init cpufreq on CPU %d\n", policy->cpu);
-
-   max_freqp = of_get_property(cpu, "clock-frequency", NULL);
-   if (!max_freqp) {
-   err = -EINVAL;
-   goto out_unmap_sdcpwr;
-   }
-
-   /* we need the freq in kHz */
-   max_freq = *max_freqp / 1000;
-
pr_debug("max clock-frequency is at %u kHz\n", max_freq);
pr_debug("initializing frequency table\n");
 
-- 
2.9.5



[PATCH v4] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

2019-07-08 Thread Wen Yang
The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang 
Cc: "Rafael J. Wysocki" 
Cc: Viresh Kumar 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
---
v4: restore the blank line.
v3: fix a leaked reference.
v2: clean up the code according to the advice of viresh.

 drivers/cpufreq/pasemi-cpufreq.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4ab..f0c98fc 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -128,20 +128,21 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
int cur_astate, idx;
struct resource res;
struct device_node *cpu, *dn;
-   int err = -ENODEV;
+   int err;
 
cpu = of_get_cpu_node(policy->cpu, NULL);
 
-   of_node_put(cpu);
if (!cpu)
-   goto out;
+   return -ENODEV;
 
dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
if (!dn)
dn = of_find_compatible_node(NULL, NULL,
 "pasemi,pwrficient-sdc");
-   if (!dn)
+   if (!dn) {
+   err = -ENODEV;
goto out;
+   }
err = of_address_to_resource(dn, 0, );
of_node_put(dn);
if (err)
@@ -196,6 +197,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
policy->cur = pas_freqs[cur_astate].frequency;
ppc_proc_freq = policy->cur * 1000ul;
 
+   of_node_put(cpu);
return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
 
 out_unmap_sdcpwr:
@@ -204,6 +206,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
 out_unmap_sdcasr:
iounmap(sdcasr_mapbase);
 out:
+   of_node_put(cpu);
return err;
 }
 
-- 
2.9.5



[PATCH v3] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

2019-07-08 Thread Wen Yang
The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang 
Cc: "Rafael J. Wysocki" 
Cc: Viresh Kumar 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
---
v3: fix a leaked reference.
v2: clean up the code according to the advice of viresh.

 drivers/cpufreq/pasemi-cpufreq.c | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4ab..9dc5163 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -128,20 +128,20 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
int cur_astate, idx;
struct resource res;
struct device_node *cpu, *dn;
-   int err = -ENODEV;
+   int err;
 
cpu = of_get_cpu_node(policy->cpu, NULL);
-
-   of_node_put(cpu);
if (!cpu)
-   goto out;
+   return -ENODEV;
 
dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
if (!dn)
dn = of_find_compatible_node(NULL, NULL,
 "pasemi,pwrficient-sdc");
-   if (!dn)
+   if (!dn) {
+   err = -ENODEV;
goto out;
+   }
err = of_address_to_resource(dn, 0, );
of_node_put(dn);
if (err)
@@ -196,6 +196,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
policy->cur = pas_freqs[cur_astate].frequency;
ppc_proc_freq = policy->cur * 1000ul;
 
+   of_node_put(cpu);
return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
 
 out_unmap_sdcpwr:
@@ -204,6 +205,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
 out_unmap_sdcasr:
iounmap(sdcasr_mapbase);
 out:
+   of_node_put(cpu);
return err;
 }
 
-- 
2.9.5



[PATCH v2] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

2019-07-08 Thread Wen Yang
The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang 
Cc: "Rafael J. Wysocki" 
Cc: Viresh Kumar 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
---
v2: clean up the code according to the advice of viresh.

 drivers/cpufreq/pasemi-cpufreq.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4ab..c6d464b 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -128,20 +128,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
int cur_astate, idx;
struct resource res;
struct device_node *cpu, *dn;
-   int err = -ENODEV;
+   int err;
 
cpu = of_get_cpu_node(policy->cpu, NULL);
-
-   of_node_put(cpu);
if (!cpu)
-   goto out;
+   return -ENODEV;
 
dn = of_find_compatible_node(NULL, NULL, "1682m-sdc");
if (!dn)
dn = of_find_compatible_node(NULL, NULL,
 "pasemi,pwrficient-sdc");
if (!dn)
-   goto out;
+   return -ENODEV;
err = of_address_to_resource(dn, 0, );
of_node_put(dn);
if (err)
@@ -196,6 +194,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
policy->cur = pas_freqs[cur_astate].frequency;
ppc_proc_freq = policy->cur * 1000ul;
 
+   of_node_put(cpu);
return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency());
 
 out_unmap_sdcpwr:
@@ -204,6 +203,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
 out_unmap_sdcasr:
iounmap(sdcasr_mapbase);
 out:
+   of_node_put(cpu);
return err;
 }
 
-- 
2.9.5



[PATCH] cpufreq/pasemi: fix an use-after-free in pas_cpufreq_cpu_init()

2019-07-08 Thread Wen Yang
The cpu variable is still being used in the of_get_property() call
after the of_node_put() call, which may result in use-after-free.

Fixes: a9acc26b75f ("cpufreq/pasemi: fix possible object reference leak")
Signed-off-by: Wen Yang 
Cc: "Rafael J. Wysocki" 
Cc: Viresh Kumar 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/cpufreq/pasemi-cpufreq.c | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 6b1e4ab..d2dd47b 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -132,7 +132,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
 
cpu = of_get_cpu_node(policy->cpu, NULL);
 
-   of_node_put(cpu);
if (!cpu)
goto out;
 
@@ -141,15 +140,15 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
dn = of_find_compatible_node(NULL, NULL,
 "pasemi,pwrficient-sdc");
if (!dn)
-   goto out;
+   goto out_put_cpu_node;
err = of_address_to_resource(dn, 0, );
of_node_put(dn);
if (err)
-   goto out;
+   goto out_put_cpu_node;
sdcasr_mapbase = ioremap(res.start + SDCASR_OFFSET, 0x2000);
if (!sdcasr_mapbase) {
err = -EINVAL;
-   goto out;
+   goto out_put_cpu_node;
}
 
dn = of_find_compatible_node(NULL, NULL, "1682m-gizmo");
@@ -177,6 +176,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
err = -EINVAL;
goto out_unmap_sdcpwr;
}
+   of_node_put(cpu);
 
/* we need the freq in kHz */
max_freq = *max_freqp / 1000;
@@ -203,6 +203,8 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
 
 out_unmap_sdcasr:
iounmap(sdcasr_mapbase);
+out_put_cpu_node:
+   of_node_put(cpu);
 out:
return err;
 }
-- 
2.9.5



[PATCH] powerpc: fix use-after-free on fixup_port_irq()

2019-07-05 Thread Wen Yang
There is a possible use-after-free issue in the fixup_port_irq():

460 static void __init fixup_port_irq(int index,
461   struct device_node *np,
462   struct plat_serial8250_port *port)
463 {
...
469 if (!virq && legacy_serial_infos[index].irq_check_parent) {
470 np = of_get_parent(np);  --> modified here.
...
474 of_node_put(np); ---> released here
475 }
...
481 #ifdef CONFIG_SERIAL_8250_FSL
482   if (of_device_is_compatible(np, "fsl,ns16550")) --> dereferenced here
...
484 #endif
485 }

We solve this problem by introducing a new parent_np variable.

Fixes: 9deaa53ac7fa ("serial: add irq handler for Freescale 16550 errata.")
Signed-off-by: Wen Yang 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: Rob Herring 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/kernel/legacy_serial.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/arch/powerpc/kernel/legacy_serial.c 
b/arch/powerpc/kernel/legacy_serial.c
index 7cea597..0105f3e 100644
--- a/arch/powerpc/kernel/legacy_serial.c
+++ b/arch/powerpc/kernel/legacy_serial.c
@@ -461,17 +461,18 @@ static void __init fixup_port_irq(int index,
  struct device_node *np,
  struct plat_serial8250_port *port)
 {
+   struct device_node *parent_np;
unsigned int virq;
 
DBG("fixup_port_irq(%d)\n", index);
 
virq = irq_of_parse_and_map(np, 0);
if (!virq && legacy_serial_infos[index].irq_check_parent) {
-   np = of_get_parent(np);
-   if (np == NULL)
+   parent_np = of_get_parent(np);
+   if (parent_np == NULL)
return;
-   virq = irq_of_parse_and_map(np, 0);
-   of_node_put(np);
+   virq = irq_of_parse_and_map(parent_np, 0);
+   of_node_put(parent_np);
}
if (!virq)
return;
-- 
2.9.5



[PATCH] powerpc/83xx: fix use-after-free on mpc831x_usb_cfg()

2019-07-05 Thread Wen Yang
The np variable is still being used after the of_node_put() call,
which may result in use-after-free.
We fix this issue by calling of_node_put() after the last usage.
This patatch also do some cleanup.

Fixes: fd066e850351 ("powerpc/mpc8308: fix USB DR controller initialization")
Signed-off-by: Wen Yang 
Cc: Scott Wood 
Cc: Kumar Gala 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/platforms/83xx/usb.c | 15 +++
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/arch/powerpc/platforms/83xx/usb.c 
b/arch/powerpc/platforms/83xx/usb.c
index 3d247d7..56b36fa 100644
--- a/arch/powerpc/platforms/83xx/usb.c
+++ b/arch/powerpc/platforms/83xx/usb.c
@@ -158,14 +158,11 @@ int mpc831x_usb_cfg(void)
 
iounmap(immap);
 
-   of_node_put(immr_node);
-
/* Map USB SOC space */
ret = of_address_to_resource(np, 0, );
-   if (ret) {
-   of_node_put(np);
-   return ret;
-   }
+   if (ret)
+   goto out_put_node;
+
usb_regs = ioremap(res.start, resource_size());
 
/* Using on-chip PHY */
@@ -174,7 +171,7 @@ int mpc831x_usb_cfg(void)
u32 refsel;
 
if (of_device_is_compatible(immr_node, "fsl,mpc8308-immr"))
-   goto out;
+   goto out_unmap;
 
if (of_device_is_compatible(immr_node, "fsl,mpc8315-immr"))
refsel = CONTROL_REFSEL_24MHZ;
@@ -201,8 +198,10 @@ int mpc831x_usb_cfg(void)
ret = -EINVAL;
}
 
-out:
+out_unmap:
iounmap(usb_regs);
+out_put_node:
+   of_node_put(immr_node);
of_node_put(np);
return ret;
 }
-- 
2.9.5



[PATCH] powerpc/prom: fix use-after-free on cpu_to_chip_id()

2019-07-05 Thread Wen Yang
The np variable is still being used after the of_node_put() call,
which may result in use-after-free.
We fix this issue by calling of_node_put() after the last usage.

Fixes: 3eb906c6b6c1 ("powerpc: Make cpu_to_chip_id() available when SMP=n")
Signed-off-by: Wen Yang 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: Christophe Leroy 
Cc: Andrew Morton 
Cc: Mike Rapoport 
Cc: Greg Kroah-Hartman 
Cc: "Aneesh Kumar K.V" 
Cc: Thomas Gleixner 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/kernel/prom.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c
index 7159e79..ad87b94 100644
--- a/arch/powerpc/kernel/prom.c
+++ b/arch/powerpc/kernel/prom.c
@@ -872,13 +872,15 @@ EXPORT_SYMBOL(of_get_ibm_chip_id);
 int cpu_to_chip_id(int cpu)
 {
struct device_node *np;
+   int id;
 
np = of_get_cpu_node(cpu, NULL);
if (!np)
return -1;
 
+   id = of_get_ibm_chip_id(np);
of_node_put(np);
-   return of_get_ibm_chip_id(np);
+   return id;
 }
 EXPORT_SYMBOL(cpu_to_chip_id);
 
-- 
2.9.5



[PATCH 6/7] cpufreq: pmac32: fix possible object reference leak

2019-03-31 Thread Wen Yang
The call to of_find_node_by_name returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./drivers/cpufreq/pmac32-cpufreq.c:557:2-8: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 552, but without a 
corresponding object release within this function.
./drivers/cpufreq/pmac32-cpufreq.c:569:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 552, but without a 
corresponding object release within this function.
./drivers/cpufreq/pmac32-cpufreq.c:598:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 587, but without a 
corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: "Rafael J. Wysocki" 
Cc: Viresh Kumar 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: linux...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/cpufreq/pmac32-cpufreq.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/cpufreq/pmac32-cpufreq.c b/drivers/cpufreq/pmac32-cpufreq.c
index 52f0d91..9b4ce2e 100644
--- a/drivers/cpufreq/pmac32-cpufreq.c
+++ b/drivers/cpufreq/pmac32-cpufreq.c
@@ -552,6 +552,7 @@ static int pmac_cpufreq_init_7447A(struct device_node 
*cpunode)
volt_gpio_np = of_find_node_by_name(NULL, "cpu-vcore-select");
if (volt_gpio_np)
voltage_gpio = read_gpio(volt_gpio_np);
+   of_node_put(volt_gpio_np);
if (!voltage_gpio){
pr_err("missing cpu-vcore-select gpio\n");
return 1;
@@ -588,6 +589,7 @@ static int pmac_cpufreq_init_750FX(struct device_node 
*cpunode)
if (volt_gpio_np)
voltage_gpio = read_gpio(volt_gpio_np);
 
+   of_node_put(volt_gpio_np);
pvr = mfspr(SPRN_PVR);
has_cpu_l2lve = !((pvr & 0xf00) == 0x100);
 
-- 
2.9.5



[PATCH 5/7] cpufreq/pasemi: fix possible object reference leak

2019-03-31 Thread Wen Yang
The call to of_get_cpu_node returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./drivers/cpufreq/pasemi-cpufreq.c:212:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 147, but without a 
corresponding object release within this function.
./drivers/cpufreq/pasemi-cpufreq.c:220:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 147, but without a 
corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: "Rafael J. Wysocki" 
Cc: Viresh Kumar 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/cpufreq/pasemi-cpufreq.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 75dfbd2..c7710c1 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -146,6 +146,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy 
*policy)
 
cpu = of_get_cpu_node(policy->cpu, NULL);
 
+   of_node_put(cpu);
if (!cpu)
goto out;
 
-- 
2.9.5



[PATCH 3/5] powerpc/powernv: fix possible object reference leak

2019-03-21 Thread Wen Yang
The call to of_find_node_by_path returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./arch/powerpc/platforms/powernv/opal.c:741:2-8: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 733, but without a 
corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: Nicholas Piggin 
Cc: Mike Rapoport 
Cc: Andrew Morton 
Cc: Mahesh Salgaonkar 
Cc: Haren Myneni 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/platforms/powernv/opal.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/platforms/powernv/opal.c 
b/arch/powerpc/platforms/powernv/opal.c
index 2b0eca1..d7736a5 100644
--- a/arch/powerpc/platforms/powernv/opal.c
+++ b/arch/powerpc/platforms/powernv/opal.c
@@ -738,6 +738,7 @@ static void opal_export_attrs(void)
kobj = kobject_create_and_add("exports", opal_kobj);
if (!kobj) {
pr_warn("kobject_create_and_add() of exports failed\n");
+   of_node_put(np);
return;
}
 
-- 
2.9.5



[PATCH 5/5] powerpc/8xx: fix possible object reference leak

2019-03-21 Thread Wen Yang
The call to of_find_compatible_node returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
irq_domain_add_linear also calls of_node_get to increase refcount,
so irq_domain will not be affected when it is released.

Detected by coccinelle with the following warnings:
./arch/powerpc/platforms/8xx/pic.c:158:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 136, but without a 
corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Vitaly Bordug 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/platforms/8xx/pic.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/platforms/8xx/pic.c b/arch/powerpc/platforms/8xx/pic.c
index 8d5a25d..13d880b 100644
--- a/arch/powerpc/platforms/8xx/pic.c
+++ b/arch/powerpc/platforms/8xx/pic.c
@@ -155,6 +155,7 @@ int mpc8xx_pic_init(void)
ret = -ENOMEM;
goto out;
}
+   of_node_put(np);
return 0;
 
 out:
-- 
2.9.5



[PATCH 4/5] powerpc/embedded6xx: fix possible object reference leak

2019-03-21 Thread Wen Yang
The call to of_find_compatible_node returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./arch/powerpc/platforms/embedded6xx/mvme5100.c:89:2-8: ERROR: missing 
of_node_put; acquired a node pointer with refcount incremented on line 80, but 
without a corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/platforms/embedded6xx/mvme5100.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/platforms/embedded6xx/mvme5100.c 
b/arch/powerpc/platforms/embedded6xx/mvme5100.c
index 273dfa3..660654f4 100644
--- a/arch/powerpc/platforms/embedded6xx/mvme5100.c
+++ b/arch/powerpc/platforms/embedded6xx/mvme5100.c
@@ -86,6 +86,7 @@ static void __init mvme5100_pic_init(void)
cirq = irq_of_parse_and_map(cp, 0);
if (!cirq) {
pr_warn("mvme5100_pic_init: no cascade interrupt?\n");
+   of_node_put(cp);
return;
}
 
-- 
2.9.5



[PATCH 2/5] powerpc/83xx: fix possible object reference leak

2019-03-21 Thread Wen Yang
The call to of_find_node_by_name returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./arch/powerpc/platforms/83xx/km83xx.c:68:2-8: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 59, but without a 
corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Scott Wood 
Cc: Kumar Gala 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/platforms/83xx/km83xx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/powerpc/platforms/83xx/km83xx.c 
b/arch/powerpc/platforms/83xx/km83xx.c
index d8642a4..11eea7c 100644
--- a/arch/powerpc/platforms/83xx/km83xx.c
+++ b/arch/powerpc/platforms/83xx/km83xx.c
@@ -65,6 +65,7 @@ static void quirk_mpc8360e_qe_enet10(void)
ret = of_address_to_resource(np_par, 0, );
if (ret) {
pr_warn("%s couldn;t map par_io registers\n", __func__);
+   of_node_put(np_par);
return;
}
 
-- 
2.9.5



[PATCH 1/5] powerpc/sparse: fix possible object reference leak

2019-03-21 Thread Wen Yang
The call to of_find_node_by_path returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./arch/powerpc/platforms/pseries/pseries_energy.c:101:1-7: ERROR: missing 
of_node_put; acquired a node pointer with refcount incremented on line 46, but 
without a corresponding object release within this function.
./arch/powerpc/platforms/pseries/pseries_energy.c:172:1-7: ERROR: missing 
of_node_put; acquired a node pointer with refcount incremented on line 111, but 
without a corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 arch/powerpc/platforms/pseries/pseries_energy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/platforms/pseries/pseries_energy.c 
b/arch/powerpc/platforms/pseries/pseries_energy.c
index 6ed2212..e3913e4 100644
--- a/arch/powerpc/platforms/pseries/pseries_energy.c
+++ b/arch/powerpc/platforms/pseries/pseries_energy.c
@@ -69,7 +69,7 @@ static u32 cpu_to_drc_index(int cpu)
 
of_read_drc_info_cell(, , );
if (strncmp(drc.drc_type, "CPU", 3))
-   goto err;
+   goto err_of_node_put;
 
if (thread_index < drc.last_drc_index)
break;
@@ -131,7 +131,7 @@ static int drc_index_to_cpu(u32 drc_index)
 
of_read_drc_info_cell(, , );
if (strncmp(drc.drc_type, "CPU", 3))
-   goto err;
+   goto err_of_node_put;
 
if (drc_index > drc.last_drc_index) {
cpu += drc.num_sequential_elems;
-- 
2.9.5



[PATCH 6/8] PCI: iproc: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_parse_phandle returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
iproc_msi_init also calls of_node_get to increase refcount
(proc_msi_init -> iproc_msi_alloc_domains -> pci_msi_create_irq_domain
-> msi_create_irq_domain -> irq_domain_create_linear -> __irq_domain_add),
so irq_domain will not be affected when it is released.

Detected by coccinelle with the following warnings:
./drivers/pci/controller/pcie-iproc.c:1323:3-9: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 1299, but without a 
corresponding object release within this function.
./drivers/pci/controller/pcie-iproc.c:1330:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 1299, but without a 
corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Lorenzo Pieralisi 
Cc: Bjorn Helgaas 
Cc: Ray Jui 
Cc: Scott Branden 
Cc: bcm-kernel-feedback-l...@broadcom.com
Cc: linux-...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/pci/controller/pcie-iproc.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/pci/controller/pcie-iproc.c 
b/drivers/pci/controller/pcie-iproc.c
index c20fd6b..9998c5c 100644
--- a/drivers/pci/controller/pcie-iproc.c
+++ b/drivers/pci/controller/pcie-iproc.c
@@ -1320,14 +1320,18 @@ static int iproc_pcie_msi_enable(struct iproc_pcie 
*pcie)
if (pcie->need_msi_steer) {
ret = iproc_pcie_msi_steer(pcie, msi_node);
if (ret)
-   return ret;
+   goto out_put_node;
}
 
/*
 * If another MSI controller is being used, the call below should fail
 * but that is okay
 */
-   return iproc_msi_init(pcie, msi_node);
+   ret = iproc_msi_init(pcie, msi_node);
+
+out_put_node:
+   of_node_put(msi_node);
+   return ret;
 }
 
 static void iproc_pcie_msi_disable(struct iproc_pcie *pcie)
-- 
2.9.5



[PATCH 7/8] PCI: mediatek: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_get_next_child returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
irq_domain_add_linear also calls of_node_get to increase refcount,
so irq_domain will not be affected when it is released.

Detected by coccinelle with the following warnings:
./drivers/pci/controller/pcie-mediatek.c:577:2-8: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 567, but without a 
corresponding object release within this function.
./drivers/pci/controller/pcie-mediatek.c:583:3-9: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 567, but without a 
corresponding object release within this function.
./drivers/pci/controller/pcie-mediatek.c:586:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 567, but without a 
corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Ryder Lee 
Cc: Lorenzo Pieralisi 
Cc: Bjorn Helgaas 
Cc: Matthias Brugger 
Cc: linux-...@vger.kernel.org
Cc: linux-media...@lists.infradead.org
Cc: linux-ker...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
---
 drivers/pci/controller/pcie-mediatek.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/pci/controller/pcie-mediatek.c 
b/drivers/pci/controller/pcie-mediatek.c
index 55e471c..e91716a 100644
--- a/drivers/pci/controller/pcie-mediatek.c
+++ b/drivers/pci/controller/pcie-mediatek.c
@@ -572,6 +572,7 @@ static int mtk_pcie_init_irq_domain(struct mtk_pcie_port 
*port,
 
port->irq_domain = irq_domain_add_linear(pcie_intc_node, PCI_NUM_INTX,
 _domain_ops, port);
+   of_node_put(pcie_intc_node);
if (!port->irq_domain) {
dev_err(dev, "failed to get INTx IRQ domain\n");
return -ENODEV;
-- 
2.9.5



[PATCH 8/8] PCI: rpadlpar: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_find_node_by_name returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./drivers/pci/hotplug/rpadlpar_core.c:55:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 42, but without a 
corresponding object release within this function

Signed-off-by: Wen Yang 
Cc: Tyrel Datwyler 
Cc: Benjamin Herrenschmidt 
Cc: Paul Mackerras 
Cc: Michael Ellerman 
Cc: Bjorn Helgaas 
Cc: linux-...@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/pci/hotplug/rpadlpar_core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/pci/hotplug/rpadlpar_core.c 
b/drivers/pci/hotplug/rpadlpar_core.c
index e2356a9..f3f42ff 100644
--- a/drivers/pci/hotplug/rpadlpar_core.c
+++ b/drivers/pci/hotplug/rpadlpar_core.c
@@ -52,6 +52,7 @@ static struct device_node *find_vio_slot_node(char *drc_name)
break;
}
 
+   of_node_put(parent);
return dn;
 }
 
-- 
2.9.5



[PATCH 2/8] PCI: uniphier: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_get_child_by_name returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
irq_domain_add_linear also calls of_node_get to increase refcount,
so irq_domain will not be affected when it is released.

Detected by coccinelle with the following warnings:
./drivers/pci/controller/dwc/pcie-uniphier.c:283:2-8: ERROR: missing 
of_node_put; acquired a node pointer with refcount incremented on line 274, but 
without a corresponding object release within this function.
./drivers/pci/controller/dwc/pcie-uniphier.c:290:2-8: ERROR: missing 
of_node_put; acquired a node pointer with refcount incremented on line 274, but 
without a corresponding object release within this function.
./drivers/pci/controller/dwc/pcie-uniphier.c:296:1-7: ERROR: missing 
of_node_put; acquired a node pointer with refcount incremented on line 274, but 
without a corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Kunihiko Hayashi 
Cc: Lorenzo Pieralisi 
Cc: Bjorn Helgaas 
Cc: Masahiro Yamada 
Cc: linux-...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/pci/controller/dwc/pcie-uniphier.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/pci/controller/dwc/pcie-uniphier.c 
b/drivers/pci/controller/dwc/pcie-uniphier.c
index d5dc402..3f30ee4 100644
--- a/drivers/pci/controller/dwc/pcie-uniphier.c
+++ b/drivers/pci/controller/dwc/pcie-uniphier.c
@@ -270,6 +270,7 @@ static int uniphier_pcie_config_legacy_irq(struct pcie_port 
*pp)
struct uniphier_pcie_priv *priv = to_uniphier_pcie(pci);
struct device_node *np = pci->dev->of_node;
struct device_node *np_intc;
+   int ret = 0;
 
np_intc = of_get_child_by_name(np, "legacy-interrupt-controller");
if (!np_intc) {
@@ -280,20 +281,24 @@ static int uniphier_pcie_config_legacy_irq(struct 
pcie_port *pp)
pp->irq = irq_of_parse_and_map(np_intc, 0);
if (!pp->irq) {
dev_err(pci->dev, "Failed to get an IRQ entry in 
legacy-interrupt-controller\n");
-   return -EINVAL;
+   ret = -EINVAL;
+   goto out_put_node;
}
 
priv->legacy_irq_domain = irq_domain_add_linear(np_intc, PCI_NUM_INTX,
_intx_domain_ops, pp);
if (!priv->legacy_irq_domain) {
dev_err(pci->dev, "Failed to get INTx domain\n");
-   return -ENODEV;
+   ret = -ENODEV;
+   goto out_put_node;
}
 
irq_set_chained_handler_and_data(pp->irq, uniphier_pcie_irq_handler,
 pp);
 
-   return 0;
+out_put_node:
+   of_node_put(np_intc);
+   return ret;
 }
 
 static int uniphier_pcie_host_init(struct pcie_port *pp)
-- 
2.9.5



[PATCH 4/8] PCI: rockchip: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_get_child_by_name returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
irq_domain_add_linear also calls of_node_get to increase refcount,
so irq_domain will not be affected when it is released.

Detected by coccinelle with the following warnings:
./drivers/pci/controller/pcie-rockchip-host.c:729:2-8: ERROR: missing 
of_node_put; acquired a node pointer with refcount incremented on line 718, but 
without a corresponding object release within this function.
./drivers/pci/controller/pcie-rockchip-host.c:732:1-7: ERROR: missing 
of_node_put; acquired a node pointer with refcount incremented on line 718, but 
without a corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Shawn Lin 
Cc: Lorenzo Pieralisi 
Cc: Bjorn Helgaas 
Cc: Heiko Stuebner 
Cc: linux-...@vger.kernel.org
Cc: linux-rockc...@lists.infradead.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/pci/controller/pcie-rockchip-host.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/pci/controller/pcie-rockchip-host.c 
b/drivers/pci/controller/pcie-rockchip-host.c
index 1372d27..8d20f17 100644
--- a/drivers/pci/controller/pcie-rockchip-host.c
+++ b/drivers/pci/controller/pcie-rockchip-host.c
@@ -724,6 +724,7 @@ static int rockchip_pcie_init_irq_domain(struct 
rockchip_pcie *rockchip)
 
rockchip->irq_domain = irq_domain_add_linear(intc, PCI_NUM_INTX,
_domain_ops, rockchip);
+   of_node_put(intc);
if (!rockchip->irq_domain) {
dev_err(dev, "failed to get a INTx IRQ domain\n");
return -EINVAL;
-- 
2.9.5



[PATCH 5/8] PCI: aardvark: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_get_next_child returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
irq_domain_add_linear also calls of_node_get to increase refcount,
so irq_domain will not be affected when it is released.

Detected by coccinelle with the following warnings:
./drivers/pci/controller/pci-aardvark.c:826:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 798, but without a 
corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Thomas Petazzoni 
Cc: Lorenzo Pieralisi 
Cc: Bjorn Helgaas 
Cc: linux-...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/pci/controller/pci-aardvark.c | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/pci/controller/pci-aardvark.c 
b/drivers/pci/controller/pci-aardvark.c
index 750081c..56ecb16 100644
--- a/drivers/pci/controller/pci-aardvark.c
+++ b/drivers/pci/controller/pci-aardvark.c
@@ -794,6 +794,7 @@ static int advk_pcie_init_irq_domain(struct advk_pcie *pcie)
struct device_node *node = dev->of_node;
struct device_node *pcie_intc_node;
struct irq_chip *irq_chip;
+   int ret = 0;
 
pcie_intc_node =  of_get_next_child(node, NULL);
if (!pcie_intc_node) {
@@ -806,8 +807,8 @@ static int advk_pcie_init_irq_domain(struct advk_pcie *pcie)
irq_chip->name = devm_kasprintf(dev, GFP_KERNEL, "%s-irq",
dev_name(dev));
if (!irq_chip->name) {
-   of_node_put(pcie_intc_node);
-   return -ENOMEM;
+   ret = -ENOMEM;
+   goto out_put_node;
}
 
irq_chip->irq_mask = advk_pcie_irq_mask;
@@ -819,11 +820,13 @@ static int advk_pcie_init_irq_domain(struct advk_pcie 
*pcie)
  _pcie_irq_domain_ops, pcie);
if (!pcie->irq_domain) {
dev_err(dev, "Failed to get a INTx IRQ domain\n");
-   of_node_put(pcie_intc_node);
-   return -ENOMEM;
+   ret = -ENOMEM;
+   goto out_put_node;
}
 
-   return 0;
+out_put_node:
+   of_node_put(pcie_intc_node);
+   return ret;
 }
 
 static void advk_pcie_remove_irq_domain(struct advk_pcie *pcie)
-- 
2.9.5



[PATCH 3/8] PCI: dwc: layerscape: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_parse_phandle returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./drivers/pci/controller/dwc/pci-layerscape.c:204:1-7: ERROR: missing 
of_node_put; acquired a node pointer with refcount incremented on line 198, but 
without a corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Minghuan Lian 
Cc: Mingkai Hu 
Cc: Roy Zang 
Cc: Lorenzo Pieralisi 
Cc: Bjorn Helgaas 
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-...@vger.kernel.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/pci/controller/dwc/pci-layerscape.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/pci/controller/dwc/pci-layerscape.c 
b/drivers/pci/controller/dwc/pci-layerscape.c
index ce45bde2..3a5fa26 100644
--- a/drivers/pci/controller/dwc/pci-layerscape.c
+++ b/drivers/pci/controller/dwc/pci-layerscape.c
@@ -201,6 +201,7 @@ static int ls_pcie_msi_host_init(struct pcie_port *pp)
return -EINVAL;
}
 
+   of_node_put(msi_node);
return 0;
 }
 
-- 
2.9.5



[PATCH 1/8] PCI: dwc: pci-dra7xx: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_get_next_child returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
irq_domain_add_linear also calls of_node_get to increase refcount,
so irq_domain will not be affected when it is released.

Detected by coccinelle with the following warnings:
./drivers/pci/controller/dwc/pci-dra7xx.c:252:2-8: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 241, but without a 
corresponding object release within this function.
./drivers/pci/controller/dwc/pci-dra7xx.c:255:1-7: ERROR: missing of_node_put; 
acquired a node pointer with refcount incremented on line 241, but without a 
corresponding object release within this function.

Signed-off-by: Wen Yang 
Cc: Kishon Vijay Abraham I 
Cc: Lorenzo Pieralisi 
Cc: Bjorn Helgaas 
Cc: linux-o...@vger.kernel.org
Cc: linux-...@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
---
 drivers/pci/controller/dwc/pci-dra7xx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/pci/controller/dwc/pci-dra7xx.c 
b/drivers/pci/controller/dwc/pci-dra7xx.c
index ae84a69..627c91d 100644
--- a/drivers/pci/controller/dwc/pci-dra7xx.c
+++ b/drivers/pci/controller/dwc/pci-dra7xx.c
@@ -247,6 +247,7 @@ static int dra7xx_pcie_init_irq_domain(struct pcie_port *pp)
 
dra7xx->irq_domain = irq_domain_add_linear(pcie_intc_node, PCI_NUM_INTX,
   _domain_ops, pp);
+   of_node_put(pcie_intc_node);
if (!dra7xx->irq_domain) {
dev_err(dev, "Failed to get a INTx IRQ domain\n");
return -ENODEV;
-- 
2.9.5



[PATCH 1/3] ASoC: wcd9335: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_parse_phandle returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./sound/soc/codecs/wcd9335.c:5193:2-8: ERROR: missing of_node_put; acquired a 
node pointer with refcount incremented on line 5183, but without a correspon
ding object release within this function.

Signed-off-by: Wen Yang 
Cc: Liam Girdwood 
Cc: Mark Brown 
Cc: Jaroslav Kysela 
Cc: Takashi Iwai 
Cc: Srinivas Kandagatla 
Cc: Vinod Koul 
Cc: Dan Carpenter  
(commit_signer:1/11=9%,authored:1/11=9%)
Cc: alsa-de...@alsa-project.org
Cc: linux-ker...@vger.kernel.org
---
 sound/soc/codecs/wcd9335.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
index 981f88a..a04a7ce 100644
--- a/sound/soc/codecs/wcd9335.c
+++ b/sound/soc/codecs/wcd9335.c
@@ -5188,6 +5188,7 @@ static int wcd9335_slim_status(struct slim_device *sdev,
 
wcd->slim = sdev;
wcd->slim_ifc_dev = of_slim_get_device(sdev->ctrl, ifc_dev_np);
+   of_node_put(ifc_dev_np);
if (!wcd->slim_ifc_dev) {
dev_err(dev, "Unable to get SLIM Interface device\n");
return -EINVAL;
-- 
2.9.5



[PATCH 3/3] ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_parse_phandle returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./sound/soc/fsl/eukrea-tlv320.c:121:3-9: ERROR: missing of_node_put; acquired a 
node pointer with refcount incremented on line 102, but without a correspo
nding object release within this function.
./sound/soc/fsl/eukrea-tlv320.c:127:3-9: ERROR: missing of_node_put; acquired a 
node pointer with refcount incremented on line 102, but without a correspo
nding object release within this function.

Signed-off-by: Wen Yang 
Cc: Liam Girdwood 
Cc: Mark Brown 
Cc: Jaroslav Kysela 
Cc: Takashi Iwai 
Cc: alsa-de...@alsa-project.org
Cc: linux-ker...@vger.kernel.org
---
 sound/soc/fsl/eukrea-tlv320.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c
index 191426a..30a3d68 100644
--- a/sound/soc/fsl/eukrea-tlv320.c
+++ b/sound/soc/fsl/eukrea-tlv320.c
@@ -118,13 +118,13 @@ static int eukrea_tlv320_probe(struct platform_device 
*pdev)
if (ret) {
dev_err(>dev,
"fsl,mux-int-port node missing or invalid.\n");
-   return ret;
+   goto err;
}
ret = of_property_read_u32(np, "fsl,mux-ext-port", _port);
if (ret) {
dev_err(>dev,
"fsl,mux-ext-port node missing or invalid.\n");
-   return ret;
+   goto err;
}
 
/*
-- 
2.9.5



[PATCH 2/3] ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put

2019-02-26 Thread Wen Yang
The call to of_parse_phandle returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.

Detected by coccinelle with the following warnings:
./sound/soc/fsl/fsl_utils.c:74:2-8: ERROR: missing of_node_put; acquired a node 
pointer with refcount incremented on line 38, but without a corresponding 
object release within this function.

Signed-off-by: Wen Yang 
Cc: Timur Tabi 
Cc: Nicolin Chen 
Cc: Xiubo Li 
Cc: Fabio Estevam 
Cc: Liam Girdwood 
Cc: Mark Brown 
Cc: Jaroslav Kysela 
Cc: Takashi Iwai 
Cc: alsa-de...@alsa-project.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 sound/soc/fsl/fsl_utils.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/fsl/fsl_utils.c b/sound/soc/fsl/fsl_utils.c
index 9981668..040d06b 100644
--- a/sound/soc/fsl/fsl_utils.c
+++ b/sound/soc/fsl/fsl_utils.c
@@ -71,6 +71,7 @@ int fsl_asoc_get_dma_channel(struct device_node *ssi_np,
iprop = of_get_property(dma_np, "cell-index", NULL);
if (!iprop) {
of_node_put(dma_np);
+   of_node_put(dma_channel_np);
return -EINVAL;
}
*dma_id = be32_to_cpup(iprop);
-- 
2.9.5



[PATCH 1/3] SoC: imx-sgtl5000: add missing put_device()

2019-02-18 Thread Wen Yang
The of_find_device_by_node() takes a reference to the underlying device
structure, we should release that reference.

Detected by coccinelle with the following warnings:
./sound/soc/fsl/imx-sgtl5000.c:169:1-7: ERROR: missing put_device;
call of_find_device_by_node on line 105, but without a corresponding
object release within this function.
./sound/soc/fsl/imx-sgtl5000.c:177:1-7: ERROR: missing put_device;
call of_find_device_by_node on line 105, but without a corresponding
object release within this function.

Signed-off-by: Wen Yang 
Cc: Timur Tabi 
Cc: Nicolin Chen 
Cc: Xiubo Li 
Cc: Fabio Estevam 
Cc: Liam Girdwood 
Cc: Mark Brown 
Cc: Jaroslav Kysela 
Cc: Takashi Iwai 
Cc: Shawn Guo 
Cc: Sascha Hauer 
Cc: Pengutronix Kernel Team 
Cc: NXP Linux Team 
Cc: alsa-de...@alsa-project.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-arm-ker...@lists.infradead.org
Cc: linux-ker...@vger.kernel.org
---
 sound/soc/fsl/imx-sgtl5000.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/fsl/imx-sgtl5000.c b/sound/soc/fsl/imx-sgtl5000.c
index b6cb80480b60..bf8597f57dce 100644
--- a/sound/soc/fsl/imx-sgtl5000.c
+++ b/sound/soc/fsl/imx-sgtl5000.c
@@ -108,6 +108,7 @@ static int imx_sgtl5000_probe(struct platform_device *pdev)
ret = -EPROBE_DEFER;
goto fail;
}
+   put_device(_pdev->dev);
codec_dev = of_find_i2c_device_by_node(codec_np);
if (!codec_dev) {
dev_dbg(>dev, "failed to find codec platform device\n");
-- 
2.20.1



[PATCH] ASoC: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe

2019-02-02 Thread wen yang
The of_find_device_by_node() takes a reference to the underlying device
structure, we should release that reference.

Signed-off-by: Wen Yang 
Cc: Timur Tabi 
Cc: Nicolin Chen 
Cc: Xiubo Li 
Cc: Fabio Estevam 
Cc: Liam Girdwood 
Cc: Mark Brown 
Cc: Jaroslav Kysela 
Cc: Takashi Iwai 
Cc: alsa-de...@alsa-project.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-ker...@vger.kernel.org
---
 sound/soc/fsl/fsl-asoc-card.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c
index 81f2fe2..60f87a0 100644
--- a/sound/soc/fsl/fsl-asoc-card.c
+++ b/sound/soc/fsl/fsl-asoc-card.c
@@ -689,6 +689,7 @@ static int fsl_asoc_card_probe(struct platform_device *pdev)
 asrc_fail:
of_node_put(asrc_np);
of_node_put(codec_np);
+   put_device(_pdev->dev);
 fail:
of_node_put(cpu_np);
 
-- 
2.7.4



[PATCH] net/ibmvnic: Remove tests of member address

2018-12-10 Thread Wen Yang
The driver was checking for non-NULL address.
- adapter->napi[i]

This is pointless as these will be always non-NULL, since the
'dapter->napi' is allocated in init_napi().
It is safe to get rid of useless checks for addresses to fix the
coccinelle warning:
>>drivers/net/ethernet/ibm/ibmvnic.c: test of a variable/field address
Since such statements always return true, they are redundant.

Signed-off-by: Wen Yang 
CC: Benjamin Herrenschmidt 
CC: Paul Mackerras 
CC: Michael Ellerman 
CC: Thomas Falcon 
CC: John Allen 
CC: "David S. Miller" 
CC: linuxppc-dev@lists.ozlabs.org
CC: net...@vger.kernel.org
CC: linux-ker...@vger.kernel.org
---
 drivers/net/ethernet/ibm/ibmvnic.c | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/ibm/ibmvnic.c 
b/drivers/net/ethernet/ibm/ibmvnic.c
index ed50b8dee44f..14d00985f087 100644
--- a/drivers/net/ethernet/ibm/ibmvnic.c
+++ b/drivers/net/ethernet/ibm/ibmvnic.c
@@ -773,11 +773,8 @@ static void release_napi(struct ibmvnic_adapter *adapter)
return;
 
for (i = 0; i < adapter->num_active_rx_napi; i++) {
-   if (>napi[i]) {
-   netdev_dbg(adapter->netdev,
-  "Releasing napi[%d]\n", i);
-   netif_napi_del(>napi[i]);
-   }
+   netdev_dbg(adapter->netdev, "Releasing napi[%d]\n", i);
+   netif_napi_del(>napi[i]);
}
 
kfree(adapter->napi);
-- 
2.19.1



[PATCH 2/4] soc/fsl/qe: fix potential NULL pointer dereference in ucc_of_parse_tdm

2018-11-21 Thread Wen Yang
This patch fixes a possible null pointer dereference in
ucc_of_parse_tdm, detected by the semantic patch
deref_null.cocci, with the following warning:

./drivers/soc/fsl/qe/qe_tdm.c:177:21-24: ERROR: pdev is NULL but dereferenced.

The following code has potential null pointer references:
pdev = of_find_device_by_node(np2);
if (!pdev) {
ret = -EINVAL;
pr_err("%pOFn: failed to lookup pdev\n", np2);
of_node_put(np2);
goto err_miss_siram_property;
}
...
err_miss_siram_property:
devm_iounmap(>dev, utdm->si_regs);

Signed-off-by: Wen Yang 
Reviewed-by: Tan Hu 
CC: Julia Lawall 
---
 drivers/soc/fsl/qe/qe_tdm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/soc/fsl/qe/qe_tdm.c b/drivers/soc/fsl/qe/qe_tdm.c
index f78c346..166378b 100644
--- a/drivers/soc/fsl/qe/qe_tdm.c
+++ b/drivers/soc/fsl/qe/qe_tdm.c
@@ -174,7 +174,8 @@ int ucc_of_parse_tdm(struct device_node *np, struct ucc_tdm 
*utdm,
return ret;
 
 err_miss_siram_property:
-   devm_iounmap(>dev, utdm->si_regs);
+   if (pdev)
+   devm_iounmap(>dev, utdm->si_regs);
return ret;
 }
 EXPORT_SYMBOL(ucc_of_parse_tdm);
-- 
2.9.5