From: Wentao Liang Date: Thu, 9 Apr 2026 03:48:59 +0000 (+0000) Subject: of: unittest: fix use-after-free in testdrv_probe() X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=07fd339b2c253205794bea5d9b4b7548a4546c56;p=thirdparty%2Fkernel%2Flinux.git of: unittest: fix use-after-free in testdrv_probe() The function testdrv_probe() retrieves the device_node from the PCI device, applies an overlay, and then immediately calls of_node_put(dn). This releases the reference held by the PCI core, potentially freeing the node if the reference count drops to zero. Later, the same freed pointer 'dn' is passed to of_platform_default_populate(), leading to a use-after-free. The reference to pdev->dev.of_node is owned by the device model and should not be released by the driver. Remove the erroneous of_node_put() to prevent premature freeing. Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver") Cc: stable@vger.kernel.org Signed-off-by: Wentao Liang Link: https://patch.msgid.link/20260409034859.429071-1-vulab@iscas.ac.cn Signed-off-by: Rob Herring (Arm) --- diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c index eae7ebdf5130d..4078569a0f967 100644 --- a/drivers/of/unittest.c +++ b/drivers/of/unittest.c @@ -4317,7 +4317,6 @@ static int testdrv_probe(struct pci_dev *pdev, const struct pci_device_id *id) size = info->dtbo_end - info->dtbo_begin; ret = of_overlay_fdt_apply(info->dtbo_begin, size, &ovcs_id, dn); - of_node_put(dn); if (ret) return ret;