Re: [PATCH] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next()

Next message: Bartosz Golaszewski: "Re: [PATCH] gpio: htc-egpio: use managed gpiochip registration"
Previous message: Chao Yu: "Re: [PATCH 5/6] f2fs: use fscrypt_finalize_bounce_page() for cleanup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bartosz Golaszewski

Date: Tue Jun 16 2026 - 03:47:30 EST

On Tue, 16 Jun 2026 04:22:26 +0200, Wentao Liang <vulab@xxxxxxxxxxx> said:
> pwrseq_debugfs_seq_next() declares the 'next' device pointer with
> __free(put_device), which causes put_device() to drop the reference
> as soon as the variable goes out of scope. Returning 'next' directly
> thus gives the caller a pointer whose reference has already been
> decremented, resulting in a use-after-free.
>
> Fix this by returning no_free_ptr(next) so that the automatic
> cleanup is suppressed and ownership is properly transferred to
> the caller.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 249ebf3f65f8 ("power: sequencing: implement the pwrseq core")
> Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
> ---
> drivers/power/sequencing/core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/power/sequencing/core.c b/drivers/power/sequencing/core.c
> index 4dff71be11b6..1ec4f393994d 100644
> --- a/drivers/power/sequencing/core.c
> +++ b/drivers/power/sequencing/core.c
> @@ -1010,7 +1010,7 @@ static void *pwrseq_debugfs_seq_next(struct seq_file *seq, void *data,
>
> struct device *next __free(put_device) =
> bus_find_next_device(&pwrseq_bus, curr);
> - return next;
> + return_ptr(next);

Wait, why are we even using __free() in the first place? Let's see who wrote
it... ah, yes, I know this guy. It's me!

Shouldn't we just:

return bus_find_next_device();

instead? Also, the reference must still be put somewhere, probably in
pwrseq_debugfs_seq_show()?

Bart

> }
>
> static void pwrseq_debugfs_seq_show_target(struct seq_file *seq,
> --
> 2.34.1
>
>