powerpc/pci-common: Fix refcount bug for 'phb->dn'

In pcibios_alloc_controller(), 'phb' is allocated and escaped into
global 'hose_list'. So we should call of_node_get() when a new reference
created into 'phb->dn'. And when phb is freed, we should call
of_node_put() on it.

NOTE: This function is called in the iteration of for_each_xx in
chrp_find_bridges() and pSeries_discover_phbs(). If there is no
of_node_get(), the object may be prematurely freed.

Signed-off-by: Liang He <windhl@126.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220702022936.266146-1-windhl@126.com

diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c
index 31de91c8359c11ff6b44952e568c5f78eef82be4..d67cf79bf5d03456fbfc8aae5544b40c21de388c 100644 (file)
--- a/arch/powerpc/kernel/pci-common.c
+++ b/arch/powerpc/kernel/pci-common.c
@@ -135,7 +135,7 @@ struct pci_controller *pcibios_alloc_controller(struct device_node *dev)
        list_add_tail(&phb->list_node, &hose_list);
        spin_unlock(&hose_spinlock);
 
-       phb->dn = dev;
+       phb->dn = of_node_get(dev);
        phb->is_dynamic = slab_is_available();
 #ifdef CONFIG_PPC64
        if (dev) {
@@ -158,7 +158,7 @@ void pcibios_free_controller(struct pci_controller *phb)
        /* Clear bit of phb_bitmap to allow reuse of this PHB number. */
        if (phb->global_number < MAX_PHBS)
                clear_bit(phb->global_number, phb_bitmap);
-
+       of_node_put(phb->dn);
        list_del(&phb->list_node);
        spin_unlock(&hose_spinlock);