of: dynamic: Fix use after free in of_changeset_add_prop_helper()

[PATCH next] of: dynamic: Fix use after free in of_changeset_add_prop_helper()

Posted by Dan Carpenter 1 month, 1 week ago

If the of_changeset_add_property() function call fails, then this code
frees "new_pp" and then dereference it on the next line.  Return the
error code directly instead.

Fixes: c81f6ce16785 ("of: dynamic: Fix memleak when of_pci_add_properties() failed")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/of/dynamic.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/of/dynamic.c b/drivers/of/dynamic.c
index dd30b7d8b5e4..2eaaddcb0ec4 100644
--- a/drivers/of/dynamic.c
+++ b/drivers/of/dynamic.c
@@ -935,13 +935,15 @@ static int of_changeset_add_prop_helper(struct of_changeset *ocs,
 		return -ENOMEM;
 
 	ret = of_changeset_add_property(ocs, np, new_pp);
-	if (ret)
+	if (ret) {
 		__of_prop_free(new_pp);
+		return ret;
+	}
 
 	new_pp->next = np->deadprops;
 	np->deadprops = new_pp;
 
-	return ret;
+	return 0;
 }
 
 /**
-- 
2.47.2

Re: [PATCH next] of: dynamic: Fix use after free in of_changeset_add_prop_helper()

Posted by Rob Herring (Arm) 1 month, 1 week ago

On Fri, 22 Aug 2025 11:08:46 +0300, Dan Carpenter wrote:
> If the of_changeset_add_property() function call fails, then this code
> frees "new_pp" and then dereference it on the next line.  Return the
> error code directly instead.
> 
> Fixes: c81f6ce16785 ("of: dynamic: Fix memleak when of_pci_add_properties() failed")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
>  drivers/of/dynamic.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 

Applied, thanks!