CVE-2022-50633

In the Linux kernel, a memory leak vulnerability exists in the DWC3 USB controller driver for Qualcomm platforms (drivers/usb/dwc3/dwc3-qcom.c). The function dwc3_qcom_interconnect_init() calls of_icc_get() to acquire interconnect path handles, but in error paths, those handles are not released. This oversight leads to a memory leak because the allocated handle resources are never freed when the initialization fails.

An attacker with local access to the system—such as root or a user capable of triggering USB subsystem resets or device probe failures—could exploit this flaw. The leak accumulates over repeated failed init attempts, depleting kernel memory. No special hardware access is needed beyond standard local user privileges [1][2].

The impact is primarily a denial-of-service scenario, where the persistent memory leak exhausts available memory, potentially causing system instability or crashes. The vulnerability does not directly allow privilege escalation or code execution, but it can degrade system reliability and availability.

The fix, committed to the Linux kernel stable tree, adds icc_put() calls in the error paths of dwc3_qcom_interconnect_init() to mirror the cleanup already performed in dwc3_qcom_interconnect_exit(). All supported stable kernel branches should backport this patch. Administrators are advised to update to the latest patched kernel version to prevent memory exhaustion [1][2].