[PATCH v2 RESEND] coresight: etm-perf: Fix reference count leak in etm_setup_aux
Leo Yan
leo.yan at arm.com
Fri Dec 19 03:38:03 PST 2025
On Fri, Dec 19, 2025 at 09:59:54AM +0000, Suzuki K Poulose wrote:
[...]
> > diff --git a/drivers/hwtracing/coresight/coresight-platform.c b/drivers/hwtracing/coresight/coresight-platform.c
> > index 0db64c5f4995..2b34f818ba88 100644
> > --- a/drivers/hwtracing/coresight/coresight-platform.c
> > +++ b/drivers/hwtracing/coresight/coresight-platform.c
> > @@ -107,14 +107,16 @@ coresight_find_device_by_fwnode(struct fwnode_handle *fwnode)
> > * platform bus.
> > */
> > dev = bus_find_device_by_fwnode(&platform_bus_type, fwnode);
> > - if (dev)
> > - return dev;
> > /*
> > * We have a configurable component - circle through the AMBA bus
> > * looking for the device that matches the endpoint node.
> > */
> > - return bus_find_device_by_fwnode(&amba_bustype, fwnode);
> > + if (!dev)
> > + dev = bus_find_device_by_fwnode(&amba_bustype, fwnode);
> > +
> > + put_device(dev);
>
> ^^ NAK, see below.
>
> > + return dev;
> > }
> > /*
> > @@ -274,7 +276,6 @@ static int of_coresight_parse_endpoint(struct device *dev,
> > of_node_put(rparent);
> > of_node_put(rep);
> > - put_device(rdev);
>
> This doesn't look good. We can't use the "dev" reliably without the
> reference count. We are opening up use-after-free.
My understanding is we don't grab a device from
coresight_find_device_by_fwnode(). The callers only check whether the
device is present on the bus; if it isn't, the driver defers probe.
This is similiar to coresight_find_csdev_by_fwnode(), which calls
put_device(dev) to release refcnt immediately. This is why I
suggested the change, so the two functions behave consistently.
Thanks,
Leo
More information about the linux-arm-kernel
mailing list