Linux Kernel CXL Refcount Leak Vulnerability in CAP Routing Calculation

A refcount leak vulnerability has been identified in the Linux kernel's CXL (Cache Express Link) driver, specifically within the function responsible for calculating capability routing. This issue arises because the function 'cxl_calc_capp_routing' returns a node pointer with an incremented reference count, but fails to properly decrement it in the error handling path. As a result, the reference count is not correctly managed, leading to a memory leak. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a memory leak, where reference counts are not properly managed, potentially causing increased memory usage and degradation of system performance over time.

Reproduction

The vulnerability can be reproduced by invoking the 'cxl_calc_capp_routing' function with a scenario that triggers the error path, such as passing an invalid PCI device or chip ID. This will cause the function to return an error while leaving the reference count of the node pointer incremented, thus creating a refcount leak.

Remediation

The vulnerability has been addressed in the Linux kernel by adding the missing 'of_node_put()' calls in the error path of the 'cxl_calc_capp_routing' function. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.