On 19/12/2025 11:38, Leo Yan wrote:
On Fri, Dec 19, 2025 at 09:59:54AM +0000, Suzuki K Poulose wrote:
[...]
diff --git a/drivers/hwtracing/coresight/coresight-platform.c b/drivers/hwtracing/coresight/coresight-platform.c index 0db64c5f4995..2b34f818ba88 100644 --- a/drivers/hwtracing/coresight/coresight-platform.c +++ b/drivers/hwtracing/coresight/coresight-platform.c @@ -107,14 +107,16 @@ coresight_find_device_by_fwnode(struct fwnode_handle *fwnode) * platform bus. */ dev = bus_find_device_by_fwnode(&platform_bus_type, fwnode);
- if (dev)
return dev;*/
- We have a configurable component - circle through the AMBA bus
- looking for the device that matches the endpoint node.
- return bus_find_device_by_fwnode(&amba_bustype, fwnode);
- if (!dev)
dev = bus_find_device_by_fwnode(&amba_bustype, fwnode);- put_device(dev);
^^ NAK, see below.
- return dev; } /*
@@ -274,7 +276,6 @@ static int of_coresight_parse_endpoint(struct device *dev, of_node_put(rparent); of_node_put(rep);
- put_device(rdev);
This doesn't look good. We can't use the "dev" reliably without the reference count. We are opening up use-after-free.
My understanding is we don't grab a device from coresight_find_device_by_fwnode(). The callers only check whether the device is present on the bus; if it isn't, the driver defers probe.
This is similiar to coresight_find_csdev_by_fwnode(), which calls put_device(dev) to release refcnt immediately. This is why I suggested the change, so the two functions behave consistently.
I see, sorry. I saw some other uses of the device, but clearly I was wrong. May be we should simply re-structure the function to :
bool coresight_fwnode_device_present(fwnode) {
// find and drop the ref if required. return true/false; }
The name "find_device_by_fwnode" and returning a freed reference doesn't look good to me.
Suzuki
Thanks, Leo