of: unittest: fix use-after-free in testdrv_probe()

The function testdrv_probe() retrieves the device_node from the PCI
device, applies an overlay, and then immediately calls of_node_put(dn).
This releases the reference held by the PCI core, potentially freeing
the node if the reference count drops to zero. Later, the same freed
pointer 'dn' is passed to of_platform_default_populate(), leading to a
use-after-free.

The reference to pdev->dev.of_node is owned by the device model and
should not be released by the driver. Remove the erroneous of_node_put()
to prevent premature freeing.

Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260409034859.429071-1-vulab@iscas.ac.cn
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>

diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
index eae7ebdf5130d96bd8bdf22bfb93cbce85f4115c..4078569a0f9674fdad920fa555d14d502043d7b2 100644 (file)
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -4317,7 +4317,6 @@ static int testdrv_probe(struct pci_dev *pdev, const struct pci_device_id *id)
 
        size = info->dtbo_end - info->dtbo_begin;
        ret = of_overlay_fdt_apply(info->dtbo_begin, size, &ovcs_id, dn);
-       of_node_put(dn);
        if (ret)
                return ret;