1. Patchew
  2. linux
  3. View series

[PATCH] of: unittest: fix use-after-free in of_unittest_changeset()

Wentao Liang posted 1 patch 2 months, 1 week ago 
drivers/of/unittest.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
[PATCH] of: unittest: fix use-after-free in of_unittest_changeset()
Posted by Wentao Liang 2 months, 1 week ago 
The variable 'parent' is assigned the value of 'nchangeset' earlier in the
function, meaning both point to the same struct device_node. The call to
of_node_put(nchangeset) can decrement the reference count to zero and
free the node if there are no other holders. After that, the code still
uses 'parent' to check for the presence of a property and to read a
string property, leading to a use-after-free.

Fix this by moving the of_node_put() call after the last access to
'parent', avoiding the UAF.

Fixes: 1c668ea65506 ("of: unittest: Use of_property_present()")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/of/unittest.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
index 2940295843e6..eae7ebdf5130 100644
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -896,8 +896,6 @@ static void __init of_unittest_changeset(void)
 
 	unittest(!of_changeset_apply(&chgset), "apply failed\n");
 
-	of_node_put(nchangeset);
-
 	/* Make sure node names are constructed correctly */
 	unittest((np = of_find_node_by_path("/testcase-data/changeset/n2/n21")),
 		 "'%pOF' not added\n", n21);
@@ -919,6 +917,7 @@ static void __init of_unittest_changeset(void)
 	if (!ret)
 		unittest(strcmp(propstr, "hello") == 0, "original value not in updated property after revert");
 
+	of_node_put(nchangeset);
 	of_changeset_destroy(&chgset);
 
 	of_node_put(n1);
-- 
2.34.1
Re: [PATCH] of: unittest: fix use-after-free in of_unittest_changeset()
Posted by Rob Herring (Arm) 1 month, 4 weeks ago 
On Thu, 09 Apr 2026 02:22:33 +0000, Wentao Liang wrote:
> The variable 'parent' is assigned the value of 'nchangeset' earlier in the
> function, meaning both point to the same struct device_node. The call to
> of_node_put(nchangeset) can decrement the reference count to zero and
> free the node if there are no other holders. After that, the code still
> uses 'parent' to check for the presence of a property and to read a
> string property, leading to a use-after-free.
> 
> Fix this by moving the of_node_put() call after the last access to
> 'parent', avoiding the UAF.
> 
> Fixes: 1c668ea65506 ("of: unittest: Use of_property_present()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
>  drivers/of/unittest.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 

Applied, thanks!

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.