[PATCH 1/2] powerpc/83xx: fix use-after-free in mpc831x_usb_cfg()
From: Wen Yang
Date: Tue Jul 09 2019 - 07:25:31 EST
The immr_node variable is still being used after the of_node_put() call,
which may result in use-after-free.
Fix this issue by calling of_node_put() after the last usage.
Fixes: fd066e850351 ("powerpc/mpc8308: fix USB DR controller initialization")
Signed-off-by: Wen Yang <wen.yang99@xxxxxxxxxx>
Cc: Scott Wood <oss@xxxxxxxxxxxx>
Cc: Kumar Gala <galak@xxxxxxxxxxxxxxxxxxx>
Cc: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
Cc: Paul Mackerras <paulus@xxxxxxxxx>
Cc: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
Cc: Markus Elfring <Markus.Elfring@xxxxxx>
Cc: linuxppc-dev@xxxxxxxxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx
---
arch/powerpc/platforms/83xx/usb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/83xx/usb.c b/arch/powerpc/platforms/83xx/usb.c
index 3d247d7..19dcef5 100644
--- a/arch/powerpc/platforms/83xx/usb.c
+++ b/arch/powerpc/platforms/83xx/usb.c
@@ -158,11 +158,10 @@ int mpc831x_usb_cfg(void)
iounmap(immap);
- of_node_put(immr_node);
-
/* Map USB SOC space */
ret = of_address_to_resource(np, 0, &res);
if (ret) {
+ of_node_put(immr_node);
of_node_put(np);
return ret;
}
@@ -203,6 +202,7 @@ int mpc831x_usb_cfg(void)
out:
iounmap(usb_regs);
+ of_node_put(immr_node);
of_node_put(np);
return ret;
}
--
2.9.5