Linux Kernel Refcount Leak Vulnerability in USB Type-C TCPCI Port Management

A node reference count leak vulnerability has been identified in the USB Type-C TCPCI port management of the Linux kernel. This issue occurs in the 'tcpci_register_port()' function, where the reference count of a node is improperly managed, leading to a memory leak. The vulnerability was discovered during a load test of the 'mt6370-tcpc' device, with specific configuration options enabled. The problem arises because the 'fwnode' reference, which is increased when a child node is accessed, is not properly released before the function exits. As a result, the reference count becomes unbalanced, causing a memory leak.

Impact

Exploitation of this vulnerability leads to a memory leak, where reference counts are not properly balanced, potentially causing increased memory usage and degradation of system performance over time.

Reproduction

The vulnerability can be reproduced by loading the 'mt6370-tcpc' device with the 'CONFIG_OF_UNITTEST' and 'CONFIG_OF_DYNAMIC' options enabled. During this process, the improper management of the node reference count will result in a memory leak, as indicated by an error message reporting an unbalanced reference count.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the 'tcpci_register_port()' and 'tcpci_unregister_port()' functions to ensure that the 'fwnode' reference is properly released, preventing the memory leak.