[PATCH] mux: core: fix use-after-free in mux_get()
From: Wentao Liang
Date: Thu Apr 09 2026 - 03:59:11 EST
In mux_get(), of_node_put(args.np) is called prematurely in error paths
before the last access to args.np, leading to a use-after-free if the
node is freed. Move the of_node_put() calls after the last use of args.np
to prevent this.
Fixes: 84564481bc45 ("mux: Add support for reading mux state from consumer DT node")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Wentao Liang <vulab@xxxxxxxxxxx>
---
drivers/mux/core.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/mux/core.c b/drivers/mux/core.c
index f09ee8782e3d..113af77c3ee2 100644
--- a/drivers/mux/core.c
+++ b/drivers/mux/core.c
@@ -564,9 +564,10 @@ static struct mux_control *mux_get(struct device *dev, const char *mux_name,
}
mux_chip = of_find_mux_chip_by_node(args.np);
- of_node_put(args.np);
- if (!mux_chip)
+ if (!mux_chip) {
+ of_node_put(args.np);
return ERR_PTR(-EPROBE_DEFER);
+ }
controller = 0;
if (state) {
@@ -575,8 +576,10 @@ static struct mux_control *mux_get(struct device *dev, const char *mux_name,
dev_err(dev, "%pOF: wrong #mux-state-cells for %pOF\n",
np, args.np);
put_device(&mux_chip->dev);
+ of_node_put(args.np);
return ERR_PTR(-EINVAL);
}
+ of_node_put(args.np);
if (args.args_count == 2) {
controller = args.args[0];
@@ -591,9 +594,11 @@ static struct mux_control *mux_get(struct device *dev, const char *mux_name,
dev_err(dev, "%pOF: wrong #mux-control-cells for %pOF\n",
np, args.np);
put_device(&mux_chip->dev);
+ of_node_put(args.np);
return ERR_PTR(-EINVAL);
}
+ of_node_put(args.np);
if (args.args_count)
controller = args.args[0];
}
--
2.34.1