CVE-2022-50857

Vulnerability

In the Linux kernel's RapidIO subsystem, the function rio_register_mport() allocates a name for the device using dev_set_name(). If device_register() subsequently fails, the allocated name is not freed, leading to a memory leak. The kernel's error handling path does not call put_device() to release the reference and allow kobject_cleanup() to free the name, nor does it remove the port from the rio_mports list [1][2][3].

Exploitation

This vulnerability is triggered during the registration of a new mport device when device_register() returns an error. An attacker with the ability to cause such a registration failure (e.g., by exhausting memory or providing invalid parameters) could repeatedly trigger this leak. No special privileges are required beyond the ability to trigger RapidIO device registration are required, but the attack surface is limited to systems using the RapidIO subsystem.

Impact

An attacker exploiting this vulnerability can cause a memory leak, gradually depleting system memory and potentially leading to a denial-of-service (DoS) condition. The leak is small per occurrence but can be repeated to exhaust memory resources.

Mitigation

The fix has been applied to the Linux kernel stable branches as commits [1], [2], and [3]. Users should update to a kernel version containing these patches. No workaround is available other than applying the patch.