[PATCH] cpufreq: scmi: Fix of_node use-after-free in scmi_dev_used_by_cpus()
From: Hans Zhang
Date: Mon Mar 02 2026 - 11:02:56 EST
In scmi_dev_used_by_cpus(), the code previously released the of_node
reference via of_node_put(np) before checking whether np equals scmi_np.
This could lead to a use-after-free if the node pointer was accessed
after being freed. Reorder the logic to perform the comparison first
and only put the node after the check, or immediately return if they
match. This ensures safe reference counting and avoids potential kernel
crashes.
Fixes: 6c9bb8692272 ("cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs")
Signed-off-by: Hans Zhang <18255117159@xxxxxxx>
---
drivers/cpufreq/scmi-cpufreq.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c
index 4edb4f7a8aa9..187aeb65e221 100644
--- a/drivers/cpufreq/scmi-cpufreq.c
+++ b/drivers/cpufreq/scmi-cpufreq.c
@@ -413,17 +413,19 @@ static bool scmi_dev_used_by_cpus(struct device *scmi_dev)
cpu_np = dev_of_node(cpu_dev);
np = of_parse_phandle(cpu_np, "clocks", 0);
- of_node_put(np);
-
- if (np == scmi_np)
+ if (np == scmi_np) {
+ of_node_put(np);
return true;
+ }
+ of_node_put(np);
idx = of_property_match_string(cpu_np, "power-domain-names", "perf");
np = of_parse_phandle(cpu_np, "power-domains", idx);
- of_node_put(np);
-
- if (np == scmi_np)
+ if (np == scmi_np) {
+ of_node_put(np);
return true;
+ }
+ of_node_put(np);
}
/*
--
2.34.1