Re: [PATCH 0/1] software node: Use-after-free fix in drivers/base/swnode.c

Next message: Peter Yin: "[PATCH v2] i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter"
Previous message: Luca Leonardo Scorcia: "[PATCH v3] drm/mediatek: dsi: Store driver data before invoking mipi_dsi_host_register"
In reply to: Mike Isely: "Re: [PATCH 1/1] sofware node: Only the managing device can unreference managed software node"
Next in thread: Mike Isely: "Re: [PATCH 0/1] software node: Use-after-free fix in drivers/base/swnode.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Wed Feb 25 2026 - 04:46:38 EST

On Tue, Feb 24, 2026 at 01:19:21PM -0600, mike.isely@xxxxxxxxxxxxxxxxx wrote:

> Correct issue in drivers/base/swnode.c that can lead to use-after-free
> due to kobject reference counting error, which itself is due to
> incorrect behavior with the "managed" struct swnode flag in
> circumstances involving child struct device instances where the parent
> struct device is managing a struct swnode.
>
> Use-after-free in this case led to an Oops and a subsequent kernel
> memory leak, but realistically it's kernel heap corruption, so any
> manner of chaos can result, if left unaddressed.
>
> This was detected in kernel 6.12, verified also in kernel 6.6. Visual
> inspection in 6.19.3 source (the latest as of right now) shows the

The latest is v7.0-rc1 as of time of the topic message.

> same issue. The nearly trivial fix was verified in 6.12. While this
> patches against 6.19.3, IMHO this is a candidate for all LTS kernels.

Thanks for the contribution, usually for a single patch there is no need
in cover letter. The comment block can handle this (the place after cutter
'---' line in the message with a patch).

--
With Best Regards,
Andy Shevchenko