CVE-2022-50632

Root

Cause

The Marvell CN10K performance monitor unit (PMU) driver in the Linux kernel contains a resource management flaw in the tad_pmu_init() function [1]. When the kernel is configured with hotplug support, tad_pmu_init() registers a hotplug callback via cpuhp_setup_state_multi(). If the subsequent call to platform_driver_register() fails, the driver does not clean up the previously registered hotplug callback [1].

Attack

Vector

This vulnerability is not directly exploitable by unprivileged users; it occurs during driver initialization at boot time or module load. An attacker with sufficient control over the system (e.g., ability to trigger a kernel module load failure) could potentially leverage this to cause a resource leak. However, typical exploitation would require local access or a scenario where the driver probe is deliberately made to fail (e.g., through controlled manipulation of device-tree or hardware configuration).

Impact

The missing cleanup results in a hotplug callback leak, meaning the callback remains registered in the kernel's hotplug state machine even after the driver fails to initialize [1]. This can lead to use-after-free or other memory corruption when the callback is later invoked (e.g., during CPU hotplug events), potentially causing kernel crashes or enabling local privilege escalation. The issue is analogous to a previously fixed bug in the ARM CCN driver (commit 26242b330093) [1].

Mitigation

A patch has been accepted into the stable Linux kernel tree, which adds a call to cpuhp_remove_multi_state() in the error path of tad_pmu_init() when platform_driver_register() fails [1]. Users should apply the corresponding stable kernel update to remediate this vulnerability.