CVE-2022-50887

Vulnerability

In the Linux kernel's regulator subsystem, the function regulator_dev_lookup() fails to decrement the reference count of a device tree node after using it. The node is obtained via of_parse_phandle(), which increments the reference count, but the corresponding of_node_put() is missing, leading to an unbalanced refcount [1].

Exploitation

This bug is triggered during regulator lookup when the kernel parses device tree overlays that define regulator nodes. No special privileges are required; it can be triggered by loading a device tree overlay that references a regulator, which is a common operation in embedded systems and during hotplug events.

Impact

The refcount leak causes a memory leak of the device node structure. Over time, repeated overlay loading or regulator lookups can exhaust kernel memory, leading to system instability or denial of service. The kernel error message "OF: ERROR: memory leak, expected refcount 1 instead of 2" is reported when the leak is detected.

Mitigation

The fix has been applied to the Linux kernel stable branches. Patches are available in commits such as f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 and others [1][2][3][4]. Users should update their kernel to a version containing the fix.