Commit 3cd582e7 authored Jul 15, 2025 by Alok Tiwari Committed by Jakub Kicinski Jul 16, 2025

net: airoha: fix potential use-after-free in airoha_npu_get()



np->name was being used after calling of_node_put(np), which
releases the node and can lead to a use-after-free bug.
Previously, of_node_put(np) was called unconditionally after
of_find_device_by_node(np), which could result in a use-after-free if
pdev is NULL.

This patch moves of_node_put(np) after the error check to ensure
the node is only released after both the error and success cases
are handled appropriately, preventing potential resource issues.

Fixes: 23290c7b ("net: airoha: Introduce Airoha NPU support")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20250715143102.3458286-1-alok.a.tiwari@oracle.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 531d0d32

drivers/net/ethernet/airoha/airoha_npu.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -401,12 +401,13 @@ struct airoha_npu airoha_npu_get(struct device dev, dma_addr_t *stats_addr)
		return ERR_PTR(-ENODEV);

		pdev = of_find_device_by_node(np);
		of_node_put(np);

		if (!pdev) {
		dev_err(dev, "cannot find device node %s\n", np->name);
		of_node_put(np);
		return ERR_PTR(-ENODEV);
		}
		of_node_put(np);

		if (!try_module_get(THIS_MODULE)) {
		dev_err(dev, "failed to get the device driver module\n");