--- /dev/null
+From c483a5cc9d09f4ceaa9abb106f863cc89cb643d9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:48 +0200
+Subject: mmc: meson-mx-sdio: fix OF child-node lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c483a5cc9d09f4ceaa9abb106f863cc89cb643d9 upstream.
+
+Use the new of_get_compatible_child() helper to lookup the slot child
+node instead of using of_find_compatible_node(), which searches the
+entire tree from a given start node and thus can return an unrelated
+(i.e. non-child) node.
+
+This also addresses a potential use-after-free (e.g. after probe
+deferral) as the tree-wide helper drops a reference to its first
+argument (i.e. the node of the device being probed).
+
+While at it, also fix up the related slot-node reference leak.
+
+Fixes: ed80a13bb4c4 ("mmc: meson-mx-sdio: Add a driver for the Amlogic Meson8 and Meson8b SoCs")
+Cc: stable <stable@vger.kernel.org> # 4.15
+Cc: Carlo Caione <carlo@endlessm.com>
+Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/meson-mx-sdio.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/meson-mx-sdio.c
++++ b/drivers/mmc/host/meson-mx-sdio.c
+@@ -517,19 +517,23 @@ static struct mmc_host_ops meson_mx_mmc_
+ static struct platform_device *meson_mx_mmc_slot_pdev(struct device *parent)
+ {
+ struct device_node *slot_node;
++ struct platform_device *pdev;
+
+ /*
+ * TODO: the MMC core framework currently does not support
+ * controllers with multiple slots properly. So we only register
+ * the first slot for now
+ */
+- slot_node = of_find_compatible_node(parent->of_node, NULL, "mmc-slot");
++ slot_node = of_get_compatible_child(parent->of_node, "mmc-slot");
+ if (!slot_node) {
+ dev_warn(parent, "no 'mmc-slot' sub-node found\n");
+ return ERR_PTR(-ENOENT);
+ }
+
+- return of_platform_device_create(slot_node, NULL, parent);
++ pdev = of_platform_device_create(slot_node, NULL, parent);
++ of_node_put(slot_node);
++
++ return pdev;
+ }
+
+ static int meson_mx_mmc_add_host(struct meson_mx_mmc_host *host)
--- /dev/null
+From 36156f9241cb0f9e37d998052873ca7501ad4b36 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 27 Aug 2018 10:21:45 +0200
+Subject: of: add helper to lookup compatible child node
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 36156f9241cb0f9e37d998052873ca7501ad4b36 upstream.
+
+Add of_get_compatible_child() helper that can be used to lookup
+compatible child nodes.
+
+Several drivers currently use of_find_compatible_node() to lookup child
+nodes while failing to notice that the of_find_ functions search the
+entire tree depth-first (from a given start node) and therefore can
+match unrelated nodes. The fact that these functions also drop a
+reference to the node they start searching from (e.g. the parent node)
+is typically also overlooked, something which can lead to use-after-free
+bugs.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/base.c | 25 +++++++++++++++++++++++++
+ include/linux/of.h | 8 ++++++++
+ 2 files changed, 33 insertions(+)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -723,6 +723,31 @@ struct device_node *of_get_next_availabl
+ EXPORT_SYMBOL(of_get_next_available_child);
+
+ /**
++ * of_get_compatible_child - Find compatible child node
++ * @parent: parent node
++ * @compatible: compatible string
++ *
++ * Lookup child node whose compatible property contains the given compatible
++ * string.
++ *
++ * Returns a node pointer with refcount incremented, use of_node_put() on it
++ * when done; or NULL if not found.
++ */
++struct device_node *of_get_compatible_child(const struct device_node *parent,
++ const char *compatible)
++{
++ struct device_node *child;
++
++ for_each_child_of_node(parent, child) {
++ if (of_device_is_compatible(child, compatible))
++ break;
++ }
++
++ return child;
++}
++EXPORT_SYMBOL(of_get_compatible_child);
++
++/**
+ * of_get_child_by_name - Find the child node by name for a given parent
+ * @node: parent node
+ * @name: child name to look for.
+--- a/include/linux/of.h
++++ b/include/linux/of.h
+@@ -290,6 +290,8 @@ extern struct device_node *of_get_next_c
+ extern struct device_node *of_get_next_available_child(
+ const struct device_node *node, struct device_node *prev);
+
++extern struct device_node *of_get_compatible_child(const struct device_node *parent,
++ const char *compatible);
+ extern struct device_node *of_get_child_by_name(const struct device_node *node,
+ const char *name);
+
+@@ -632,6 +634,12 @@ static inline bool of_have_populated_dt(
+ return false;
+ }
+
++static inline struct device_node *of_get_compatible_child(const struct device_node *parent,
++ const char *compatible)
++{
++ return NULL;
++}
++
+ static inline struct device_node *of_get_child_by_name(
+ const struct device_node *node,
+ const char *name)
projects / thirdparty / kernel / stable-queue.git / commitdiff
