[xen master] xen/dt-overlay: fix double-free of rangesets on attach failure

[patchbot@xxxxxxx]

commit 8783601593fb4a9b7fb0c84c73da26087be48902
Author:     Michal Orzel <michal.orzel@xxxxxxx>
AuthorDate: Wed Apr 15 13:36:55 2026 +0200
Commit:     Michal Orzel <michal.orzel@xxxxxxx>
CommitDate: Wed Apr 29 07:37:58 2026 +0200

    xen/dt-overlay: fix double-free of rangesets on attach failure
    
    handle_attach_overlay_nodes() destroys the IRQ and IOMEM rangesets on
    failure but leaves the pointers dangling in the tracker entry. A
    subsequent handle_remove_overlay_nodes() for the same overlay will call
    rangeset_consume_ranges() on freed memory followed by a second
    rangeset_destroy(), resulting in use-after-free and double-free.
    
    NULL the pointers after rangeset_destroy() so that remove_nodes() and
    handle_remove_overlay_nodes() skip the stale entries.
    
    Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device 
attachment to domains")
    Reported-by: Gyujeong Jin <wlsrbwjd7232@xxxxxxxxx>
    Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
    Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx>
    Acked-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
 xen/common/device-tree/dt-overlay.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/xen/common/device-tree/dt-overlay.c 
b/xen/common/device-tree/dt-overlay.c
index d184186c01..6fa07dbf42 100644
--- a/xen/common/device-tree/dt-overlay.c
+++ b/xen/common/device-tree/dt-overlay.c
@@ -910,7 +910,9 @@ static long handle_attach_overlay_nodes(struct domain *d,
     if ( entry )
     {
         rangeset_destroy(entry->irq_ranges);
+        entry->irq_ranges = NULL;
         rangeset_destroy(entry->iomem_ranges);
+        entry->iomem_ranges = NULL;
     }
 
     return rc;
--
generated by git-patchbot for /home/xen/git/xen.git#master