Re: [PATCH v2] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next()

Next message: Paul Chaignon: "Re: [PATCH bpf v2 2/2] selftests/bpf: Cover partial copy of non-linear test_run output"
Previous message: Salih Erim: "[PATCH v8 2/5] iio: adc: add Versal SysMon driver"
In reply to: Wentao Liang: "[PATCH v2] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bartosz Golaszewski

Date: Tue Jun 16 2026 - 09:17:57 EST

On Tue, Jun 16, 2026 at 3:15 PM Wentao Liang <vulab@xxxxxxxxxxx> wrote:
>
> pwrseq_debugfs_seq_next() declares the 'next' device pointer with
> __free(put_device), which causes put_device() to drop the reference
> as soon as the variable goes out of scope. Returning 'next' directly
> thus gives the caller a pointer whose reference has already been
> decremented, resulting in a use-after-free.
>
> Fix this by removing the automatic cleanup and returning the pointer
> directly. The reference is now properly released in the stop() callback
> of the seq_file operations.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 249ebf3f65f8 ("power: sequencing: implement the pwrseq core")
> Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
>
> ---
> v2: Drop __free() and no_free_ptr().
> ---
> drivers/power/sequencing/core.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/drivers/power/sequencing/core.c b/drivers/power/sequencing/core.c
> index 4dff71be11b6..e8721368f08a 100644
> --- a/drivers/power/sequencing/core.c
> +++ b/drivers/power/sequencing/core.c
> @@ -1008,9 +1008,7 @@ static void *pwrseq_debugfs_seq_next(struct seq_file *seq, void *data,
>
> ++*pos;
>
> - struct device *next __free(put_device) =
> - bus_find_next_device(&pwrseq_bus, curr);
> - return next;
> + return bus_find_next_device(&pwrseq_bus, curr);
> }
>
> static void pwrseq_debugfs_seq_show_target(struct seq_file *seq,
> --
> 2.34.1
>

Where will the new reference be dropped now?

Bart