diff options
| author | Wentao Liang <vulab@iscas.ac.cn> | 2026-04-09 06:48:59 +0300 |
|---|---|---|
| committer | Rob Herring (Arm) <robh@kernel.org> | 2026-04-16 15:27:17 +0300 |
| commit | 07fd339b2c253205794bea5d9b4b7548a4546c56 (patch) | |
| tree | 4c9d0faca59afa7b2a1b06f6cdbf12a73cf7359d | |
| parent | faecdd423c27f0d6090156a435ba9dbbac0eaddb (diff) | |
| download | linux-07fd339b2c253205794bea5d9b4b7548a4546c56.tar.xz | |
of: unittest: fix use-after-free in testdrv_probe()
The function testdrv_probe() retrieves the device_node from the PCI
device, applies an overlay, and then immediately calls of_node_put(dn).
This releases the reference held by the PCI core, potentially freeing
the node if the reference count drops to zero. Later, the same freed
pointer 'dn' is passed to of_platform_default_populate(), leading to a
use-after-free.
The reference to pdev->dev.of_node is owned by the device model and
should not be released by the driver. Remove the erroneous of_node_put()
to prevent premature freeing.
Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260409034859.429071-1-vulab@iscas.ac.cn
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
| -rw-r--r-- | drivers/of/unittest.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c index eae7ebdf5130..4078569a0f96 100644 --- a/drivers/of/unittest.c +++ b/drivers/of/unittest.c @@ -4317,7 +4317,6 @@ static int testdrv_probe(struct pci_dev *pdev, const struct pci_device_id *id) size = info->dtbo_end - info->dtbo_begin; ret = of_overlay_fdt_apply(info->dtbo_begin, size, &ovcs_id, dn); - of_node_put(dn); if (ret) return ret; |