git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Wentao Liang <vulab@iscas.ac.cn>
	Thu, 9 Apr 2026 02:22:33 +0000 (02:22 +0000)
committer	Rob Herring (Arm) <robh@kernel.org>
	Thu, 16 Apr 2026 12:27:17 +0000 (07:27 -0500)
commit	faecdd423c27f0d6090156a435ba9dbbac0eaddb
tree	28132594c9d97f8416b257bdfd068f177c657f0e	tree \| snapshot
parent	e9cd85a42638090181a2af38684656d1cbc574e5	commit \| diff

of: unittest: fix use-after-free in of_unittest_changeset()

The variable 'parent' is assigned the value of 'nchangeset' earlier in the
function, meaning both point to the same struct device_node. The call to
of_node_put(nchangeset) can decrement the reference count to zero and
free the node if there are no other holders. After that, the code still
uses 'parent' to check for the presence of a property and to read a
string property, leading to a use-after-free.

Fix this by moving the of_node_put() call after the last access to
'parent', avoiding the UAF.

Fixes: 1c668ea65506 ("of: unittest: Use of_property_present()")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260409022233.418103-1-vulab@iscas.ac.cn
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>