Re: [PATCH AUTOSEL 4.9 11/13] mips/pic32/pic32mzda: Fix refcount leak bugs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

> From: Liang He <windhl@xxxxxxx>
> 
> [ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]
> 
> of_find_matching_node(), of_find_compatible_node() and
> of_find_node_by_path() will return node pointers with refcout
> incremented. We should call of_node_put() when they are not
> used anymore.

It looks like this may introduces an use-after-free bug:

> +++ b/arch/mips/pic32/pic32mzda/init.c
> @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup)
>  		np = of_find_compatible_node(NULL, NULL, lookup->compatible);
>  		if (np) {
>  			lookup->name = (char *)np->name;
> -			if (lookup->phys_addr)
> +			if (lookup->phys_addr) {
> +				of_node_put(np);
>  				continue;
> +			}
>  			if (!of_address_to_resource(np, 0, &res))
>  				lookup->phys_addr = res.start;
> +			of_node_put(np);
>  		}
>  	}

lookup->name now contains pointer taken from np->name, but we did
put() on the np. What guarantees np->name is not freed?

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux