CVE-2026-46308
Description
Linux kernel use-after-free in mediatek pmdomain driver due to improper node handling, potentially leading to system instability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel use-after-free in mediatek pmdomain driver due to improper node handling, potentially leading to system instability.
Vulnerability
A use-after-free vulnerability exists in the scpsys_get_bus_protection_legacy() function within the Linux kernel's mediatek pmdomain driver. The issue arises because of_node_put(node) is called before checking the return value of syscon_regmap_lookup_by_phandle(). If syscon_regmap_lookup_by_phandle() returns an error, dev_err_probe() attempts to dereference the node pointer, which may have already been freed, causing the use-after-free.
Exploitation
An attacker would need to trigger the scpsys_get_bus_protection_legacy() function in a specific error path. This typically requires kernel-level access or a specific configuration that leads to the syscon_regmap_lookup_by_phandle() function failing after of_find_node_with_property() has successfully incremented the node's reference count and of_node_put() has been prematurely called.
Impact
Successful exploitation of this use-after-free vulnerability can lead to kernel memory corruption, potentially resulting in system instability, crashes, or denial-of-service. In some scenarios, it might be possible to leverage this for privilege escalation, although this is not explicitly detailed in the available references.
Mitigation
The vulnerability has been resolved by moving the of_node_put() call to occur after the error check in scpsys_get_bus_protection_legacy(). The fix is available in the Linux kernel version referenced by commit 38d8410021b55d226847b2ac8d189d89fe5a8866 [1]. Users should update to a patched kernel version. No workarounds are specified.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
6ec1fcddb3117pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
1 file changed · +7 −4
drivers/pmdomain/mediatek/mtk-pm-domains.c+7 −4 modifieddiff --git a/drivers/pmdomain/mediatek/mtk-pm-domains.c b/drivers/pmdomain/mediatek/mtk-pm-domains.c index d2b8d03329515..e1cfd42234734 100644 --- a/drivers/pmdomain/mediatek/mtk-pm-domains.c +++ b/drivers/pmdomain/mediatek/mtk-pm-domains.c @@ -1015,6 +1015,7 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s struct device_node *node, *smi_np; int num_regmaps = 0, i, j; struct regmap *regmap[3]; + int ret = 0; /* * Legacy code retrieves a maximum of three bus protection handles: @@ -1065,11 +1066,14 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s if (node) { regmap[2] = syscon_regmap_lookup_by_phandle(node, "mediatek,infracfg-nao"); num_regmaps++; - of_node_put(node); - if (IS_ERR(regmap[2])) - return dev_err_probe(dev, PTR_ERR(regmap[2]), + if (IS_ERR(regmap[2])) { + ret = dev_err_probe(dev, PTR_ERR(regmap[2]), "%pOF: failed to get infracfg regmap\n", node); + of_node_put(node); + return ret; + } + of_node_put(node); } else { regmap[2] = NULL; } -- cgit 1.3-korg
cb27e43c0511pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
1 file changed · +7 −4
drivers/pmdomain/mediatek/mtk-pm-domains.c+7 −4 modifieddiff --git a/drivers/pmdomain/mediatek/mtk-pm-domains.c b/drivers/pmdomain/mediatek/mtk-pm-domains.c index 269634bcd9a40..1716d726b8cca 100644 --- a/drivers/pmdomain/mediatek/mtk-pm-domains.c +++ b/drivers/pmdomain/mediatek/mtk-pm-domains.c @@ -757,6 +757,7 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s struct device_node *node, *smi_np; int num_regmaps = 0, i, j; struct regmap *regmap[3]; + int ret = 0; /* * Legacy code retrieves a maximum of three bus protection handles: @@ -807,11 +808,14 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s if (node) { regmap[2] = syscon_regmap_lookup_by_phandle(node, "mediatek,infracfg-nao"); num_regmaps++; - of_node_put(node); - if (IS_ERR(regmap[2])) - return dev_err_probe(dev, PTR_ERR(regmap[2]), + if (IS_ERR(regmap[2])) { + ret = dev_err_probe(dev, PTR_ERR(regmap[2]), "%pOF: failed to get infracfg regmap\n", node); + of_node_put(node); + return ret; + } + of_node_put(node); } else { regmap[2] = NULL; } -- cgit 1.3-korg
38d8410021b5pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
1 file changed · +7 −4
drivers/pmdomain/mediatek/mtk-pm-domains.c+7 −4 modifieddiff --git a/drivers/pmdomain/mediatek/mtk-pm-domains.c b/drivers/pmdomain/mediatek/mtk-pm-domains.c index e2800aa1bc597..d3b36f32417c7 100644 --- a/drivers/pmdomain/mediatek/mtk-pm-domains.c +++ b/drivers/pmdomain/mediatek/mtk-pm-domains.c @@ -993,6 +993,7 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s struct device_node *node, *smi_np; int num_regmaps = 0, i, j; struct regmap *regmap[3]; + int ret = 0; /* * Legacy code retrieves a maximum of three bus protection handles: @@ -1043,11 +1044,14 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s if (node) { regmap[2] = syscon_regmap_lookup_by_phandle(node, "mediatek,infracfg-nao"); num_regmaps++; - of_node_put(node); - if (IS_ERR(regmap[2])) - return dev_err_probe(dev, PTR_ERR(regmap[2]), + if (IS_ERR(regmap[2])) { + ret = dev_err_probe(dev, PTR_ERR(regmap[2]), "%pOF: failed to get infracfg regmap\n", node); + of_node_put(node); + return ret; + } + of_node_put(node); } else { regmap[2] = NULL; } -- cgit 1.3-korg
38d8410021b5pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
1 file changed · +7 −4
drivers/pmdomain/mediatek/mtk-pm-domains.c+7 −4 modifieddiff --git a/drivers/pmdomain/mediatek/mtk-pm-domains.c b/drivers/pmdomain/mediatek/mtk-pm-domains.c index e2800aa1bc597..d3b36f32417c7 100644 --- a/drivers/pmdomain/mediatek/mtk-pm-domains.c +++ b/drivers/pmdomain/mediatek/mtk-pm-domains.c @@ -993,6 +993,7 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s struct device_node *node, *smi_np; int num_regmaps = 0, i, j; struct regmap *regmap[3]; + int ret = 0; /* * Legacy code retrieves a maximum of three bus protection handles: @@ -1043,11 +1044,14 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s if (node) { regmap[2] = syscon_regmap_lookup_by_phandle(node, "mediatek,infracfg-nao"); num_regmaps++; - of_node_put(node); - if (IS_ERR(regmap[2])) - return dev_err_probe(dev, PTR_ERR(regmap[2]), + if (IS_ERR(regmap[2])) { + ret = dev_err_probe(dev, PTR_ERR(regmap[2]), "%pOF: failed to get infracfg regmap\n", node); + of_node_put(node); + return ret; + } + of_node_put(node); } else { regmap[2] = NULL; } -- cgit 1.3-korg
cb27e43c0511pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
1 file changed · +7 −4
drivers/pmdomain/mediatek/mtk-pm-domains.c+7 −4 modifieddiff --git a/drivers/pmdomain/mediatek/mtk-pm-domains.c b/drivers/pmdomain/mediatek/mtk-pm-domains.c index 269634bcd9a40..1716d726b8cca 100644 --- a/drivers/pmdomain/mediatek/mtk-pm-domains.c +++ b/drivers/pmdomain/mediatek/mtk-pm-domains.c @@ -757,6 +757,7 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s struct device_node *node, *smi_np; int num_regmaps = 0, i, j; struct regmap *regmap[3]; + int ret = 0; /* * Legacy code retrieves a maximum of three bus protection handles: @@ -807,11 +808,14 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s if (node) { regmap[2] = syscon_regmap_lookup_by_phandle(node, "mediatek,infracfg-nao"); num_regmaps++; - of_node_put(node); - if (IS_ERR(regmap[2])) - return dev_err_probe(dev, PTR_ERR(regmap[2]), + if (IS_ERR(regmap[2])) { + ret = dev_err_probe(dev, PTR_ERR(regmap[2]), "%pOF: failed to get infracfg regmap\n", node); + of_node_put(node); + return ret; + } + of_node_put(node); } else { regmap[2] = NULL; } -- cgit 1.3-korg
ec1fcddb3117pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
1 file changed · +7 −4
drivers/pmdomain/mediatek/mtk-pm-domains.c+7 −4 modifieddiff --git a/drivers/pmdomain/mediatek/mtk-pm-domains.c b/drivers/pmdomain/mediatek/mtk-pm-domains.c index d2b8d03329515..e1cfd42234734 100644 --- a/drivers/pmdomain/mediatek/mtk-pm-domains.c +++ b/drivers/pmdomain/mediatek/mtk-pm-domains.c @@ -1015,6 +1015,7 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s struct device_node *node, *smi_np; int num_regmaps = 0, i, j; struct regmap *regmap[3]; + int ret = 0; /* * Legacy code retrieves a maximum of three bus protection handles: @@ -1065,11 +1066,14 @@ static int scpsys_get_bus_protection_legacy(struct device *dev, struct scpsys *s if (node) { regmap[2] = syscon_regmap_lookup_by_phandle(node, "mediatek,infracfg-nao"); num_regmaps++; - of_node_put(node); - if (IS_ERR(regmap[2])) - return dev_err_probe(dev, PTR_ERR(regmap[2]), + if (IS_ERR(regmap[2])) { + ret = dev_err_probe(dev, PTR_ERR(regmap[2]), "%pOF: failed to get infracfg regmap\n", node); + of_node_put(node); + return ret; + } + of_node_put(node); } else { regmap[2] = NULL; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The function `scpsys_get_bus_protection_legacy` calls `of_node_put` before checking for errors from `syscon_regmap_lookup_by_phandle`, leading to a use-after-free."
Attack vector
An attacker can trigger this vulnerability by providing a malformed device tree that causes `syscon_regmap_lookup_by_phandle` to return an error. This error path is taken after `of_node_put` has already been called, leading to a use-after-free when `dev_err_probe` attempts to access the freed node.
Affected code
The vulnerability exists in the `scpsys_get_bus_protection_legacy` function within the file `drivers/pmdomain/mediatek/mtk-pm-domains.c`. Specifically, the issue lies in the handling of the device node obtained via `of_find_node_with_property` and its subsequent use with `syscon_regmap_lookup_by_phandle`.
What the fix does
The patch moves the call to `of_node_put(node)` to occur after the error check for `syscon_regmap_lookup_by_phandle`. This ensures that the device node is only released after it is no longer needed, preventing `dev_err_probe` from dereferencing a freed pointer in the error handling path.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026Vypr Intelligence · Jun 8, 2026