[PATCH] of: unittest: fix use-after-free in testdrv

public inbox for devicetree@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] of: unittest: fix use-after-free in testdrv_probe()
@ 2026-04-09  3:48 Wentao Liang
  2026-04-16 11:51 ` Rob Herring (Arm)
  0 siblings, 1 reply; 2+ messages in thread
From: Wentao Liang @ 2026-04-09  3:48 UTC (permalink / raw)
  To: robh, saravanak; +Cc: devicetree, linux-kernel, Wentao Liang, stable

The function testdrv_probe() retrieves the device_node from the PCI
device, applies an overlay, and then immediately calls of_node_put(dn).
This releases the reference held by the PCI core, potentially freeing
the node if the reference count drops to zero. Later, the same freed
pointer 'dn' is passed to of_platform_default_populate(), leading to a
use-after-free.

The reference to pdev->dev.of_node is owned by the device model and
should not be released by the driver. Remove the erroneous of_node_put()
to prevent premature freeing.

Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/of/unittest.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
index eae7ebdf5130..4078569a0f96 100644
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -4317,7 +4317,6 @@ static int testdrv_probe(struct pci_dev *pdev, const struct pci_device_id *id)

 	size = info->dtbo_end - info->dtbo_begin;
 	ret = of_overlay_fdt_apply(info->dtbo_begin, size, &ovcs_id, dn);
-	of_node_put(dn);
 	if (ret)
 		return ret;

-- 
2.34.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] of: unittest: fix use-after-free in testdrv_probe()
  2026-04-09  3:48 [PATCH] of: unittest: fix use-after-free in testdrv_probe() Wentao Liang
@ 2026-04-16 11:51 ` Rob Herring (Arm)
  0 siblings, 0 replies; 2+ messages in thread
From: Rob Herring (Arm) @ 2026-04-16 11:51 UTC (permalink / raw)
  To: Wentao Liang; +Cc: linux-kernel, devicetree, stable, saravanak


On Thu, 09 Apr 2026 03:48:59 +0000, Wentao Liang wrote:
> The function testdrv_probe() retrieves the device_node from the PCI
> device, applies an overlay, and then immediately calls of_node_put(dn).
> This releases the reference held by the PCI core, potentially freeing
> the node if the reference count drops to zero. Later, the same freed
> pointer 'dn' is passed to of_platform_default_populate(), leading to a
> use-after-free.
> 
> The reference to pdev->dev.of_node is owned by the device model and
> should not be released by the driver. Remove the erroneous of_node_put()
> to prevent premature freeing.
> 
> Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
>  drivers/of/unittest.c | 1 -
>  1 file changed, 1 deletion(-)
> 

Applied, thanks!


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-16 11:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-09  3:48 [PATCH] of: unittest: fix use-after-free in testdrv_probe() Wentao Liang
2026-04-16 11:51 ` Rob Herring (Arm)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox