CVE-2022-50283 in Linux
Summary
by MITRE • 09/15/2025
In the Linux kernel, the following vulnerability has been resolved:
mtd: core: add missing of_node_get() in dynamic partitions code
This fixes unbalanced of_node_put(): [ 1.078910] 6 cmdlinepart partitions found on MTD device gpmi-nand
[ 1.085116] Creating 6 MTD partitions on "gpmi-nand":
[ 1.090181] 0x000000000000-0x000008000000 : "nandboot"
[ 1.096952] 0x000008000000-0x000009000000 : "nandfit"
[ 1.103547] 0x000009000000-0x00000b000000 : "nandkernel"
[ 1.110317] 0x00000b000000-0x00000c000000 : "nanddtb"
[ 1.115525] ------------[ cut here ]------------
[ 1.120141] refcount_t: addition on 0; use-after-free.
[ 1.125328] WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0xdc/0x148
[ 1.133528] Modules linked in:
[ 1.136589] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc7-next-20220930-04543-g8cf3f7
[ 1.146342] Hardware name: Freescale i.MX8DXL DDR3L EVK (DT)
[ 1.151999] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 1.158965] pc : refcount_warn_saturate+0xdc/0x148
[ 1.163760] lr : refcount_warn_saturate+0xdc/0x148
[ 1.168556] sp : ffff800009ddb080
[ 1.171866] x29: ffff800009ddb080 x28: ffff800009ddb35a x27: 0000000000000002
[ 1.179015] x26: ffff8000098b06ad x25: ffffffffffffffff x24: ffff0a00ffffff05
[ 1.186165] x23: ffff00001fdf6470 x22: ffff800009ddb367 x21: 0000000000000000
[ 1.193314] x20: ffff00001fdfebe8 x19: ffff00001fdfec50 x18: ffffffffffffffff
[ 1.200464] x17: 0000000000000000 x16: 0000000000000118 x15: 0000000000000004
[ 1.207614] x14: 0000000000000fff x13: ffff800009bca248 x12: 0000000000000003
[ 1.214764] x11: 00000000ffffefff x10: c0000000ffffefff x9 : 4762cb2ccb52de00
[ 1.221914] x8 : 4762cb2ccb52de00 x7 : 205d313431303231 x6 : 312e31202020205b
[ 1.229063] x5 : ffff800009d55c1f x4 : 0000000000000001 x3 : 0000000000000000
[ 1.236213] x2 : 0000000000000000 x1 : ffff800009954be6 x0 : 000000000000002a
[ 1.243365] Call trace:
[ 1.245806] refcount_warn_saturate+0xdc/0x148
[ 1.250253] kobject_get+0x98/0x9c
[ 1.253658] of_node_get+0x20/0x34
[ 1.257072] of_fwnode_get+0x3c/0x54
[ 1.260652] fwnode_get_nth_parent+0xd8/0xf4
[ 1.264926] fwnode_full_name_string+0x3c/0xb4
[ 1.269373] device_node_string+0x498/0x5b4
[ 1.273561] pointer+0x41c/0x5d0
[ 1.276793] vsnprintf+0x4d8/0x694
[ 1.280198] vprintk_store+0x164/0x528
[ 1.283951] vprintk_emit+0x98/0x164
[ 1.287530] vprintk_default+0x44/0x6c
[ 1.291284] vprintk+0xf0/0x134
[ 1.294428] _printk+0x54/0x7c
[ 1.297486] of_node_release+0xe8/0x128
[ 1.301326] kobject_put+0x98/0xfc
[ 1.304732] of_node_put+0x1c/0x28
[ 1.308137] add_mtd_device+0x484/0x6d4
[ 1.311977] add_mtd_partitions+0xf0/0x1d0
[ 1.316078] parse_mtd_partitions+0x45c/0x518
[ 1.320439] mtd_device_parse_register+0xb0/0x274
[ 1.325147] gpmi_nand_probe+0x51c/0x650
[ 1.329074] platform_probe+0xa8/0xd0
[ 1.332740] really_probe+0x130/0x334
[ 1.336406] __driver_probe_device+0xb4/0xe0
[ 1.340681] driver_probe_device+0x3c/0x1f8
[ 1.344869] __driver_attach+0xdc/0x1a4
[ 1.348708] bus_for_each_dev+0x80/0xcc
[ 1.352548] driver_attach+0x24/0x30
[ 1.356127] bus_add_driver+0x108/0x1f4
[ 1.359967] driver_register+0x78/0x114
[ 1.363807] __platform_driver_register+0x24/0x30
[ 1.368515] gpmi_nand_driver_init+0x1c/0x28
[ 1.372798] do_one_initcall+0xbc/0x238
[ 1.376638] do_initcall_level+0x94/0xb4
[ 1.380565] do_initcalls+0x54/0x94
[ 1.384058] do_basic_setup+0x1c/0x28
[ 1.387724] kernel_init_freeable+0x110/0x188
[ 1.392084] kernel_init+0x20/0x1a0
[ 1.395578] ret_from_fork+0x10/0x20
[ 1.399157] ---[ end trace 0000000000000000 ]---
[ 1.403782] ------------[ cut here ]------------
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2026
The vulnerability described in CVE-2022-50283 resides within the Linux kernel's MTD (Memory Technology Device) subsystem, specifically within the dynamic partitions code. This issue manifests as an unbalanced of_node_put() call, which leads to a use-after-free condition that can result in system instability or potential exploitation. The MTD subsystem is responsible for managing flash memory devices, and the dynamic partitions functionality allows for the creation of multiple logical partitions on a single physical MTD device. The problem occurs during the initialization of MTD devices, particularly when processing partition information from device trees, which is a common pattern in embedded systems using platforms like the Freescale i.MX8DXL.
The technical flaw stems from a missing of_node_get() call in the dynamic partitions code path, creating an imbalance in reference counting for device tree nodes. When the kernel attempts to parse MTD partitions and subsequently releases the device tree node references, it encounters a refcount_t addition on zero, indicating that a reference count has been decremented below zero. This condition triggers a kernel warning and ultimately results in a kernel oops, as demonstrated in the provided stack trace. The call trace shows the sequence leading to the issue, beginning with the device tree parsing and partition creation, ultimately reaching the of_node_release function where the unbalanced reference count causes the system to panic. This vulnerability directly aligns with CWE-476, which describes a NULL pointer dereference, and more specifically with CWE-128, which deals with wrap or overflow of integer values, though the primary impact is in reference counting rather than arithmetic overflow.
The operational impact of this vulnerability extends beyond simple system instability, as it can compromise the integrity of embedded systems that rely on MTD for critical storage operations. In the context of the ATT&CK framework, this vulnerability could be leveraged as part of a broader attack chain, potentially enabling privilege escalation or system compromise through kernel exploitation. The issue is particularly concerning in embedded environments where MTD devices are commonly used for bootloaders, firmware storage, and configuration data. Systems using the gpmi-nand MTD driver, as indicated in the stack trace, are vulnerable to this condition, which can occur during early boot stages when the kernel initializes MTD partitions and device tree nodes. The vulnerability essentially creates a race condition or memory management inconsistency that can be exploited to cause system crashes or potentially enable more sophisticated attacks.
Mitigation strategies for this vulnerability include applying the kernel patch that adds the missing of_node_get() call to balance the reference counting in the dynamic partitions code. This patch ensures that every of_node_put() call has a corresponding of_node_get() call, maintaining proper reference counting and preventing the use-after-free condition. System administrators should prioritize updating to a kernel version that includes this fix, particularly in production environments where embedded systems are deployed. Additionally, monitoring for kernel oops messages related to refcount_t and device tree node management can help detect exploitation attempts. Organizations should also consider implementing proper kernel hardening measures and maintaining up-to-date security patches for all embedded systems. The fix aligns with best practices for device tree node management and reference counting in kernel space, ensuring that all device tree references are properly managed throughout the device initialization lifecycle.