At 2022-06-29 21:06:17, "Pavel Machek" <pavel@xxxxxxx> wrote:
>Hi!
>
>> From: Liang He <windhl@xxxxxxx>
>>
>> [ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
>>
>> of_find_matching_node(), of_find_compatible_node() and
>> of_find_node_by_path() will return node pointers with refcout
>> incremented. We should call of_node_put() when they are not
>> used anymore.
>
>It looks like this may introduces an use-after-free bug:
>
>> +++ b/arch/mips/pic32/pic32mzda/init.c
>> @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup)
>> np = of_find_compatible_node(NULL, NULL, lookup->compatible);
>> if (np) {
>> lookup->name = (char *)np->name;
>> - if (lookup->phys_addr)
>> + if (lookup->phys_addr) {
>> + of_node_put(np);
>> continue;
>> + }
>> if (!of_address_to_resource(np, 0, &res))
>> lookup->phys_addr = res.start;
>> + of_node_put(np);
>> }
>> }
>
>lookup->name now contains pointer taken from np->name, but we did
>put() on the np. What guarantees np->name is not freed?
>
>Best regards,
> Pavel
Hi, Pavel.
Thanks for you to review this patched code.
In fact, the |PUT| on 'np' will not lead to the |FREE|.
First, before calling of_find_compatible_node(), the target object's refcount must be >= 1, as the object is alive.
Then, after calling of_find_compatible_node(), its refcount must be >=2.
So, after calling of_node_put(np), its refcount must be still >=1.
In fact, these |PUT|s are just used to keep refcount balance for the |GET| in of_find_compatible_node().
If there is anything wrong, please correct me.
Thans very much to review my patch code.
Liang
>--
>DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
>HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
