i2c: qcom-cci: don't put a device tree node before i2c_add_adapter()

commit 02a4a69667a2ad32f3b52ca906f19628fbdd8a01 upstream.

There is a minor chance for a race, if a pointer to an i2c-bus subnode
is stored and then reused after releasing its reference, and it would
be sufficient to get one more reference under a loop over children
subnodes.

Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Robert Foss <robert.foss@linaro.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/i2c/busses/i2c-qcom-cci.c b/drivers/i2c/busses/i2c-qcom-cci.c
index fd4260d..cf54f1c 100644 (file)
--- a/drivers/i2c/busses/i2c-qcom-cci.c
+++ b/drivers/i2c/busses/i2c-qcom-cci.c
@@ -558,7 +558,7 @@ static int cci_probe(struct platform_device *pdev)
                cci->master[idx].adap.quirks = &cci->data->quirks;
                cci->master[idx].adap.algo = &cci_algo;
                cci->master[idx].adap.dev.parent = dev;
-               cci->master[idx].adap.dev.of_node = child;
+               cci->master[idx].adap.dev.of_node = of_node_get(child);
                cci->master[idx].master = idx;
                cci->master[idx].cci = cci;
 
@@ -643,8 +643,10 @@ static int cci_probe(struct platform_device *pdev)
                        continue;
 
                ret = i2c_add_adapter(&cci->master[i].adap);
-               if (ret < 0)
+               if (ret < 0) {
+                       of_node_put(cci->master[i].adap.dev.of_node);
                        goto error_i2c;
+               }
        }
 
        pm_runtime_set_autosuspend_delay(dev, MSEC_PER_SEC);
@@ -656,8 +658,10 @@ static int cci_probe(struct platform_device *pdev)
 
 error_i2c:
        for (--i ; i >= 0; i--) {
-               if (cci->master[i].cci)
+               if (cci->master[i].cci) {
                        i2c_del_adapter(&cci->master[i].adap);
+                       of_node_put(cci->master[i].adap.dev.of_node);
+               }
        }
 error:
        disable_irq(cci->irq);
@@ -673,8 +677,10 @@ static int cci_remove(struct platform_device *pdev)
        int i;
 
        for (i = 0; i < cci->data->num_masters; i++) {
-               if (cci->master[i].cci)
+               if (cci->master[i].cci) {
                        i2c_del_adapter(&cci->master[i].adap);
+                       of_node_put(cci->master[i].adap.dev.of_node);
+               }
                cci_halt(cci, i);
        }