1. Patchew
  2. linux
  3. View series

[PATCH] cpufreq: scmi: Fix of_node use-after-free in scmi_dev_used_by_cpus()

Hans Zhang posted 1 patch 1 month, 1 week ago 
drivers/cpufreq/scmi-cpufreq.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
[PATCH] cpufreq: scmi: Fix of_node use-after-free in scmi_dev_used_by_cpus()
Posted by Hans Zhang 1 month, 1 week ago 
In scmi_dev_used_by_cpus(), the code previously released the of_node
reference via of_node_put(np) before checking whether np equals scmi_np.
This could lead to a use-after-free if the node pointer was accessed
after being freed. Reorder the logic to perform the comparison first
and only put the node after the check, or immediately return if they
match. This ensures safe reference counting and avoids potential kernel
crashes.

Fixes: 6c9bb8692272 ("cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs")
Signed-off-by: Hans Zhang <18255117159@163.com>
---
 drivers/cpufreq/scmi-cpufreq.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c
index 4edb4f7a8aa9..187aeb65e221 100644
--- a/drivers/cpufreq/scmi-cpufreq.c
+++ b/drivers/cpufreq/scmi-cpufreq.c
@@ -413,17 +413,19 @@ static bool scmi_dev_used_by_cpus(struct device *scmi_dev)
 		cpu_np = dev_of_node(cpu_dev);
 
 		np = of_parse_phandle(cpu_np, "clocks", 0);
-		of_node_put(np);
-
-		if (np == scmi_np)
+		if (np == scmi_np) {
+			of_node_put(np);
 			return true;
+		}
+		of_node_put(np);
 
 		idx = of_property_match_string(cpu_np, "power-domain-names", "perf");
 		np = of_parse_phandle(cpu_np, "power-domains", idx);
-		of_node_put(np);
-
-		if (np == scmi_np)
+		if (np == scmi_np) {
+			of_node_put(np);
 			return true;
+		}
+		of_node_put(np);
 	}
 
 	/*
-- 
2.34.1
Re: [PATCH] cpufreq: scmi: Fix of_node use-after-free in scmi_dev_used_by_cpus()
Posted by Viresh Kumar 1 month, 1 week ago 
On 02-03-26, 23:53, Hans Zhang wrote:
> In scmi_dev_used_by_cpus(), the code previously released the of_node
> reference via of_node_put(np) before checking whether np equals scmi_np.
> This could lead to a use-after-free if the node pointer was accessed
> after being freed. Reorder the logic to perform the comparison first
> and only put the node after the check, or immediately return if they
> match. This ensures safe reference counting and avoids potential kernel
> crashes.

It shouldn't lead to a use-after-free problem as we aren't using the `np` for
anything apart from simple comparison of value.

-- 
viresh
Re: [PATCH] cpufreq: scmi: Fix of_node use-after-free in scmi_dev_used_by_cpus()
Posted by Hans Zhang 1 month ago 

On 3/3/26 12:20, Viresh Kumar wrote:
> On 02-03-26, 23:53, Hans Zhang wrote:
>> In scmi_dev_used_by_cpus(), the code previously released the of_node
>> reference via of_node_put(np) before checking whether np equals scmi_np.
>> This could lead to a use-after-free if the node pointer was accessed
>> after being freed. Reorder the logic to perform the comparison first
>> and only put the node after the check, or immediately return if they
>> match. This ensures safe reference counting and avoids potential kernel
>> crashes.
> 
> It shouldn't lead to a use-after-free problem as we aren't using the `np` for
> anything apart from simple comparison of value.
> 

Hi Viresh,

Thank you very much for your reply. Then, do you think this patch is 
necessary? Or should I revise the commit message?

Best regards,
Hans
Re: [PATCH] cpufreq: scmi: Fix of_node use-after-free in scmi_dev_used_by_cpus()
Posted by Viresh Kumar 1 month ago 
On 09-03-26, 10:20, Hans Zhang wrote:
> Thank you very much for your reply. Then, do you think this patch is
> necessary?

No, this patch isn't required I think.

-- 
viresh

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.