Re: [PATCH AUTOSEL 4.9 11/13] mips/pic32/pic32mzda: Fix refcount leak bugs

Hi!

From: Liang He windhl@126.com

[ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ]

of_find_matching_node(), of_find_compatible_node() and of_find_node_by_path() will return node pointers with refcout incremented. We should call of_node_put() when they are not used anymore.

It looks like this may introduces an use-after-free bug:

+++ b/arch/mips/pic32/pic32mzda/init.c @@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup) np = of_find_compatible_node(NULL, NULL, lookup->compatible); if (np) { lookup->name = (char *)np->name;

• 	if (lookup->phys_addr)
  

• 	if (lookup->phys_addr) {
  

• 		of_node_put(np);
  	continue;
  

• 	}
  if (!of_address_to_resource(np, 0, &res))
  	lookup->phys_addr = res.start;
  

• 	of_node_put(np);
  

  } }

lookup->name now contains pointer taken from np->name, but we did put() on the np. What guarantees np->name is not freed?

Best regards, Pavel