Re: [PATCH] of: unittest: fix use-after-free in testdrv_probe()

Next message: Rob Herring (Arm): "Re: [PATCH] of: unittest: fix use-after-free in of_unittest_changeset()"
Previous message: Joe Simmons-Talbott: "Re: [PATCH] gpib: agilent_82357a: don't check a NULL serial string"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Rob Herring (Arm)

Date: Thu Apr 16 2026 - 07:51:20 EST

On Thu, 09 Apr 2026 03:48:59 +0000, Wentao Liang wrote:
> The function testdrv_probe() retrieves the device_node from the PCI
> device, applies an overlay, and then immediately calls of_node_put(dn).
> This releases the reference held by the PCI core, potentially freeing
> the node if the reference count drops to zero. Later, the same freed
> pointer 'dn' is passed to of_platform_default_populate(), leading to a
> use-after-free.
>
> The reference to pdev->dev.of_node is owned by the device model and
> should not be released by the driver. Remove the erroneous of_node_put()
> to prevent premature freeing.
>
> Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
> ---
> drivers/of/unittest.c | 1 -
> 1 file changed, 1 deletion(-)
>

Applied, thanks!