Hi!
> From: Liang He <windhl@xxxxxxx>
>
> [ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
>
> of_find_matching_node(), of_find_compatible_node() and
> of_find_node_by_path() will return node pointers with refcout
> incremented. We should call of_node_put() when they are not
> used anymore.
It looks like this may introduces an use-after-free bug:
> +++ b/arch/mips/pic32/pic32mzda/init.c
> @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup)
> np = of_find_compatible_node(NULL, NULL, lookup->compatible);
> if (np) {
> lookup->name = (char *)np->name;
> - if (lookup->phys_addr)
> + if (lookup->phys_addr) {
> + of_node_put(np);
> continue;
> + }
> if (!of_address_to_resource(np, 0, &res))
> lookup->phys_addr = res.start;
> + of_node_put(np);
> }
> }
lookup->name now contains pointer taken from np->name, but we did
put() on the np. What guarantees np->name is not freed?
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: PGP signature
