of: unittest: fix use-after-free in of_unittest_changeset()

The variable 'parent' is assigned the value of 'nchangeset' earlier in the
function, meaning both point to the same struct device_node. The call to
of_node_put(nchangeset) can decrement the reference count to zero and
free the node if there are no other holders. After that, the code still
uses 'parent' to check for the presence of a property and to read a
string property, leading to a use-after-free.

Fix this by moving the of_node_put() call after the last access to
'parent', avoiding the UAF.

Fixes: 1c668ea65506 ("of: unittest: Use of_property_present()")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260409022233.418103-1-vulab@iscas.ac.cn
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>

diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
index 2940295843e6fcfc42b5b42aa366e124c92efb0b..eae7ebdf5130d96bd8bdf22bfb93cbce85f4115c 100644 (file)
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -896,8 +896,6 @@ static void __init of_unittest_changeset(void)
 
        unittest(!of_changeset_apply(&chgset), "apply failed\n");
 
-       of_node_put(nchangeset);
-
        /* Make sure node names are constructed correctly */
        unittest((np = of_find_node_by_path("/testcase-data/changeset/n2/n21")),
                 "'%pOF' not added\n", n21);
@@ -919,6 +917,7 @@ static void __init of_unittest_changeset(void)
        if (!ret)
                unittest(strcmp(propstr, "hello") == 0, "original value not in updated property after revert");
 
+       of_node_put(nchangeset);
        of_changeset_destroy(&chgset);
 
        of_node_put(n1);