[PATCH 2/3] soc: samsung: exynos-pmu: fix use-after-free of interrupt generator node
From: Alexey Klimov
Date: Fri Jun 05 2026 - 16:20:09 EST
The setup_cpuhp_and_cpuidle() parses the device tree node for the
interrupt generation block via of_parse_phandle() and decrements its
reference count using of_node_put() immediately after fetching the resource
address. However, later the intr_gen_node pointer is passed into
of_syscon_register_regmap().
Fix this by moving the of_node_put() invocation to after the
of_syscon_register_regmap() call, and adding it to correct error paths.
Reported-by: Sashiko <sashiko-bot@xxxxxxxxxx>
Closes: https://sashiko.dev/#/patchset/20260513-exynos850-cpuhotplug-v4-0-54fec5f65362@xxxxxxxxxx?part=3
Fixes: 78b72897a5c8 ("soc: samsung: exynos-pmu: Enable CPU Idle for gs101")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Alexey Klimov <alexey.klimov@xxxxxxxxxx>
---
drivers/soc/samsung/exynos-pmu.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/soc/samsung/exynos-pmu.c b/drivers/soc/samsung/exynos-pmu.c
index 6e635872247a..9636287f6794 100644
--- a/drivers/soc/samsung/exynos-pmu.c
+++ b/drivers/soc/samsung/exynos-pmu.c
@@ -428,23 +428,30 @@ static int setup_cpuhp_and_cpuidle(struct device *dev)
* syscon provided regmap.
*/
ret = of_address_to_resource(intr_gen_node, 0, &intrgen_res);
- of_node_put(intr_gen_node);
+ if (ret) {
+ of_node_put(intr_gen_node);
+ return ret;
+ }
virt_addr = devm_ioremap(dev, intrgen_res.start,
resource_size(&intrgen_res));
- if (!virt_addr)
+ if (!virt_addr) {
+ of_node_put(intr_gen_node);
return -ENOMEM;
+ }
pmu_context->pmuintrgen = devm_regmap_init_mmio(dev, virt_addr,
®map_pmu_intr);
if (IS_ERR(pmu_context->pmuintrgen)) {
dev_err(dev, "failed to initialize pmu-intr-gen regmap\n");
+ of_node_put(intr_gen_node);
return PTR_ERR(pmu_context->pmuintrgen);
}
/* register custom mmio regmap with syscon */
ret = of_syscon_register_regmap(intr_gen_node,
pmu_context->pmuintrgen);
+ of_node_put(intr_gen_node);
if (ret)
return ret;
--
2.51.0