Re: [PATCH] fix: of: overlay: init_overlay_changeset: fix fragment overlay/target reference leak on error paths

[WenTao Liang]

> 2026年6月26日 23:44，WenTao Liang <vulab@xxxxxxxxxxx> 写道：
> 
> In init_overlay_changeset(), when iteration fails (e.g., find_target
>  returns NULL), previously stored fragment overlay and target references
>  from successful iterations are leaked. The ovcs->count is never set
>  before goto err_out, so free_overlay_changeset() cannot clean up.
> 
> Set ovcs->count = cnt before jumping to err_out and ensure
>  of_overlay_apply() calls free_overlay_changeset() on failure to properly
>  release the acquired fragment references.
> 
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 24789c5ce5a3 ("of: overlay: detect cases where device tree may become corrupt")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
> drivers/of/overlay.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
> index c1c5686fc7b1..25521ff7c942 100644
> --- a/drivers/of/overlay.c
> +++ b/drivers/of/overlay.c
> @@ -804,6 +804,7 @@ static int init_overlay_changeset(struct overlay_changeset *ovcs,
> 			of_node_put(fragment->overlay);
> 			ret = -EINVAL;
> 			of_node_put(node);
> +			ovcs->count = cnt;
> 			goto err_out;
> 		}
> 
> @@ -825,6 +826,7 @@ static int init_overlay_changeset(struct overlay_changeset *ovcs,
> 			pr_err("symbols in overlay, but not in live tree\n");
> 			ret = -EINVAL;
> 			of_node_put(node);
> +			ovcs->count = cnt;
> 			goto err_out;
> 		}
> 
> @@ -924,8 +926,10 @@ static int of_overlay_apply(struct overlay_changeset *ovcs,
> 		goto out;
> 
> 	ret = init_overlay_changeset(ovcs, base);
> -	if (ret)
> +	if (ret) {
> +		free_overlay_changeset(ovcs);
> 		goto out;
> +	}
> 
> 	ret = overlay_notify(ovcs, OF_OVERLAY_PRE_APPLY);
> 	if (ret)
> -- 
> 2.39.5 (Apple Git-154)

Please ignore this patch. I will resend a proper version after
learning the kernel submission process.

Apologies for the noise.

Best regards,
WenTao Liang