wifi: ath12k: fix OF node refcount imbalance in WSI graph traversal

ath12k_core_get_wsi_info() traverses the WSI (Wired Serial Interface)
device graph starting from dev->of_node. The current code uses
dev->of_node directly as the local traversal pointer and calls
of_node_put() on error.

Since the driver does not own a reference to dev->of_node, dropping it
during traversal results in the following OF refcount underflow:

OF: ERROR: of_node_release() detected bad of_node_put() on /soc@0/wifi@c000000
CPU: 1 UID: 0 PID: 210 Comm: insmod Not tainted 6.19.0-rc4-next-20260109-00023-g797dd36dc178 #26 PREEMPT
Hardware name: Qualcomm Technologies, Inc. IPQ5332 MI01.2 (DT)
Call trace:
 show_stack+0x18/0x24 (C)
 dump_stack_lvl+0x60/0x80
 dump_stack+0x18/0x24
 of_node_release+0x164/0x1a0
 kobject_put+0xb4/0x278
 of_node_put+0x18/0x28
 ath12k_core_init+0x29c/0x5d4 [ath12k]
 ath12k_ahb_probe+0x950/0xc14 [ath12k]
 platform_probe+0x5c/0xa4
 really_probe+0xc0/0x3ec
 __driver_probe_device+0x80/0x170
 driver_probe_device+0x3c/0x120
 __driver_attach+0xc4/0x218
OF: ERROR: next of_node_put() on this node will result in a kobject warning 'refcount_t: underflow; use-after-free.'

Fix this by explicitly acquiring a reference to the starting node
using of_node_get() and attaching automatic cleanup via
__free(device_node).

Each discovered WSI node is stored in ag->wsi_node[] with its own
of_node_get() reference. These references are later released in
ath12k_core_free_wsi_info() during driver teardown.

Also remove unnecessary memset() of wsi_node array since cleanup now
explicitly sets pointers to NULL.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1

Fixes: 908c10c860e0 ("wifi: ath12k: parse multiple device information from Device Tree")
Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260410071300.2323603-1-aaradhana.sahu@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>

diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
index 2519e2400d589187ce40086ef719b65a27080928..980a12fb2c6e7eec8a004fb77bd113e1b7151c10 100644 (file)
--- a/drivers/net/wireless/ath/ath12k/core.c
+++ b/drivers/net/wireless/ath/ath12k/core.c
@@ -1838,10 +1838,22 @@ static struct ath12k_hw_group *ath12k_core_hw_group_alloc(struct ath12k_base *ab
        return ag;
 }
 
+static void ath12k_core_free_wsi_info(struct ath12k_hw_group *ag)
+{
+       int i;
+
+       for (i = 0; i < ag->num_devices; i++) {
+               of_node_put(ag->wsi_node[i]);
+               ag->wsi_node[i] = NULL;
+       }
+       ag->num_devices = 0;
+}
+
 static void ath12k_core_hw_group_free(struct ath12k_hw_group *ag)
 {
        mutex_lock(&ath12k_hw_group_mutex);
 
+       ath12k_core_free_wsi_info(ag);
        list_del(&ag->list);
        kfree(ag);
 
@@ -1867,52 +1879,59 @@ static struct ath12k_hw_group *ath12k_core_hw_group_find_by_dt(struct ath12k_bas
 static int ath12k_core_get_wsi_info(struct ath12k_hw_group *ag,
                                    struct ath12k_base *ab)
 {
-       struct device_node *wsi_dev = ab->dev->of_node, *next_wsi_dev;
-       struct device_node *tx_endpoint, *next_rx_endpoint;
-       int device_count = 0;
-
-       next_wsi_dev = wsi_dev;
+       struct device_node *next_wsi_dev;
+       int device_count = 0, ret = 0;
+       struct device_node *wsi_dev;
 
-       if (!next_wsi_dev)
+       wsi_dev = of_node_get(ab->dev->of_node);
+       if (!wsi_dev)
                return -ENODEV;
 
        do {
-               ag->wsi_node[device_count] = next_wsi_dev;
+               if (device_count >= ATH12K_MAX_DEVICES) {
+                       ath12k_warn(ab, "device count in DT %d is more than limit %d\n",
+                                   device_count, ATH12K_MAX_DEVICES);
+                       ret = -EINVAL;
+                       break;
+               }
+
+               ag->wsi_node[device_count++] = of_node_get(wsi_dev);
 
-               tx_endpoint = of_graph_get_endpoint_by_regs(next_wsi_dev, 0, -1);
+               struct device_node *tx_endpoint __free(device_node) =
+                                       of_graph_get_endpoint_by_regs(wsi_dev, 0, -1);
                if (!tx_endpoint) {
-                       of_node_put(next_wsi_dev);
-                       return -ENODEV;
+                       ret = -ENODEV;
+                       break;
                }
 
-               next_rx_endpoint = of_graph_get_remote_endpoint(tx_endpoint);
+               struct device_node *next_rx_endpoint __free(device_node) =
+                                       of_graph_get_remote_endpoint(tx_endpoint);
                if (!next_rx_endpoint) {
-                       of_node_put(next_wsi_dev);
-                       of_node_put(tx_endpoint);
-                       return -ENODEV;
+                       ret = -ENODEV;
+                       break;
                }
 
-               of_node_put(tx_endpoint);
-               of_node_put(next_wsi_dev);
-
                next_wsi_dev = of_graph_get_port_parent(next_rx_endpoint);
                if (!next_wsi_dev) {
-                       of_node_put(next_rx_endpoint);
-                       return -ENODEV;
+                       ret = -ENODEV;
+                       break;
                }
 
-               of_node_put(next_rx_endpoint);
+               of_node_put(wsi_dev);
+               wsi_dev = next_wsi_dev;
+       } while (ab->dev->of_node != wsi_dev);
 
-               device_count++;
-               if (device_count > ATH12K_MAX_DEVICES) {
-                       ath12k_warn(ab, "device count in DT %d is more than limit %d\n",
-                                   device_count, ATH12K_MAX_DEVICES);
-                       of_node_put(next_wsi_dev);
-                       return -EINVAL;
+       if (ret) {
+               while (--device_count >= 0) {
+                       of_node_put(ag->wsi_node[device_count]);
+                       ag->wsi_node[device_count] = NULL;
                }
-       } while (wsi_dev != next_wsi_dev);
 
-       of_node_put(next_wsi_dev);
+               of_node_put(wsi_dev);
+               return ret;
+       }
+
+       of_node_put(wsi_dev);
        ag->num_devices = device_count;
 
        return 0;
@@ -1983,9 +2002,9 @@ static struct ath12k_hw_group *ath12k_core_hw_group_assign(struct ath12k_base *a
                    ath12k_core_get_wsi_index(ag, ab)) {
                        ath12k_dbg(ab, ATH12K_DBG_BOOT,
                                   "unable to get wsi info from dt, grouping single device");
+                       ath12k_core_free_wsi_info(ag);
                        ag->id = ATH12K_INVALID_GROUP_ID;
                        ag->num_devices = 1;
-                       memset(ag->wsi_node, 0, sizeof(ag->wsi_node));
                        wsi->index = 0;
                }