[PATCH v2 1/2] powerpc: cell: cbe_regs: Fix refcount bugs

From: Liang He <windhl@126.com>
To: arnd@arndb.de, mpe@ellerman.id.au, benh@kernel.crashing.org,
	paulus@samba.org, linuxppc-dev@lists.ozlabs.org, windhl@126.com
Subject: [PATCH v2 1/2] powerpc: cell: cbe_regs: Fix refcount bugs
Date: Fri,  1 Jul 2022 22:49:48 +0800	[thread overview]
Message-ID: <20220701144949.252364-1-windhl@126.com> (raw)

There are several bugs as following:

(1) In cbe_get_be_node(), we should hold the reference returned by
    of_find_xxx and of_get_xxx OF APIs and use it to call of_node_put
(2) In cbe_fill_regs_map(), we should same as above
(3) In cbe_regs_init(), during the iteration of for_each_node_by_type(),
    the refcount of 'cpu' will be automatically increased and decreased.
    However, there is a reference escaped out into 'map->cpu_node' and
    we should properly handle it.

Signed-off-by: Liang He <windhl@126.com>
---
 chagelog:

 v2: (1) split v1's two files in to two commits
     (2) merge all bugs for cbe_regs.c
     (3) using 'check-then-put' coding style
 v1: only detect bug (1)

 v1-link: https://lore.kernel.org/all/20220621075333.4081413-1-windhl@126.com/


 arch/powerpc/platforms/cell/cbe_regs.c | 40 +++++++++++++++++++-------
 1 file changed, 30 insertions(+), 10 deletions(-)

diff --git a/arch/powerpc/platforms/cell/cbe_regs.c b/arch/powerpc/platforms/cell/cbe_regs.c
index 316e533afc00..3fd3634aa515 100644
--- a/arch/powerpc/platforms/cell/cbe_regs.c
+++ b/arch/powerpc/platforms/cell/cbe_regs.c
@@ -182,9 +182,19 @@ static struct device_node *__init cbe_get_be_node(int cpu_id)
 		if (WARN_ON_ONCE(!cpu_handle))
 			return np;
 
-		for (i=0; i<len; i++)
-			if (of_find_node_by_phandle(cpu_handle[i]) == of_get_cpu_node(cpu_id, NULL))
+		for (i=0; i<len; i++) {
+			struct device_node *ch_np = of_find_node_by_phandle(cpu_handle[i]);
+			struct device_node *ci_np = of_get_cpu_node(cpu_id, NULL);
+
+			if (ch_np == ci_np) {
+				of_node_put(ch_np);
+				of_node_put(ci_np);
 				return np;
+			}
+
+			of_node_put(ch_np);
+			of_node_put(ci_np);
+		}
 	}
 
 	return NULL;
@@ -193,21 +203,30 @@ static struct device_node *__init cbe_get_be_node(int cpu_id)
 static void __init cbe_fill_regs_map(struct cbe_regs_map *map)
 {
 	if(map->be_node) {
-		struct device_node *be, *np;
+		struct device_node *be, *np, *parent_np;
 
 		be = map->be_node;
 
-		for_each_node_by_type(np, "pervasive")
-			if (of_get_parent(np) == be)
+		for_each_node_by_type(np, "pervasive") {
+			parent_np = of_get_parent(np);
+			if (parent_np == be)
 				map->pmd_regs = of_iomap(np, 0);
+			of_node_put(parent_np);
+		}
 
-		for_each_node_by_type(np, "CBEA-Internal-Interrupt-Controller")
-			if (of_get_parent(np) == be)
+		for_each_node_by_type(np, "CBEA-Internal-Interrupt-Controller") {
+			parent_np = of_get_parent(np);
+			if (parent_np == be)
 				map->iic_regs = of_iomap(np, 2);
+			of_node_put(parent_np);
+		}
 
-		for_each_node_by_type(np, "mic-tm")
-			if (of_get_parent(np) == be)
+		for_each_node_by_type(np, "mic-tm") {
+			parent_np = of_get_parent(np);
+			if (parent_np == be)
 				map->mic_tm_regs = of_iomap(np, 0);
+			of_node_put(parent_np);
+		}
 	} else {
 		struct device_node *cpu;
 		/* That hack must die die die ! */
@@ -261,7 +280,8 @@ void __init cbe_regs_init(void)
 			of_node_put(cpu);
 			return;
 		}
-		map->cpu_node = cpu;
+		of_node_put(map->cpu_node);
+		map->cpu_node = of_node_get(cpu);
 
 		for_each_possible_cpu(i) {
 			struct cbe_thread_map *thread = &cbe_thread_map[i];
-- 
2.25.1

