CVE-2021-47151 in Linuxinfo

Summary

by MITRE • 03/25/2024

In the Linux kernel, the following vulnerability has been resolved:

interconnect: qcom: bcm-voter: add a missing of_node_put()

Add a missing of_node_put() in of_bcm_voter_get() to avoid the reference leak.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 08/04/2025

The vulnerability identified as CVE-2021-47151 represents a memory management issue within the Linux kernel's interconnect subsystem, specifically affecting Qualcomm's bcm-voter driver implementation. This flaw resides in the device tree node handling mechanism where the kernel fails to properly release references to device tree nodes, creating a potential resource leak that could accumulate over time and impact system stability. The vulnerability affects systems utilizing Qualcomm SoCs with interconnect infrastructure and demonstrates a fundamental failure in proper reference counting within the device tree subsystem.

The technical flaw manifests in the of_bcm_voter_get() function where the kernel obtains a reference to a device tree node using of_get_child_by_name() or similar functions but fails to call of_node_put() to release that reference. This pattern creates a reference leak where device tree node references remain active even after the node is no longer needed, causing the kernel's device tree subsystem to maintain unnecessary references to memory structures. The issue stems from improper resource management in the device tree traversal code path, where the kernel allocates and processes device tree node references but neglects to properly clean up these references.

From an operational perspective, this vulnerability can lead to progressive memory consumption within the kernel's device tree subsystem, potentially causing system performance degradation or even system instability over extended periods of operation. The reference leak may become particularly problematic in systems with frequent device tree traversals or in embedded environments with limited memory resources. While the immediate impact might appear minimal, the cumulative effect of multiple reference leaks can contribute to memory pressure and system resource exhaustion, especially in long-running systems or those with dynamic device tree modifications.

The vulnerability aligns with CWE-404, which specifically addresses improper resource management or resource leaks in software systems, and represents a classic example of insufficient reference counting in kernel space. This flaw can be categorized under the ATT&CK technique T1059.007 for kernel-level code execution or manipulation, though the direct attack vector is more subtle and related to resource exhaustion rather than direct exploitation. The fix implemented addresses this by ensuring proper reference management through the addition of the missing of_node_put() call, which aligns with kernel development best practices for device tree node handling.

Mitigation strategies for this vulnerability focus primarily on applying the kernel patch that introduces the missing of_node_put() call in the affected function. System administrators should prioritize updating their Linux kernel versions to include this fix, particularly in production environments where long-term stability and resource management are critical. The patch demonstrates proper kernel development practices and adherence to device tree subsystem guidelines, ensuring that all acquired device tree node references are properly released. Organizations should also monitor for similar patterns in other device tree subsystem implementations and conduct regular kernel security audits to identify potential reference leak vulnerabilities. This fix exemplifies the importance of proper resource management in kernel space and reinforces the need for comprehensive testing of device tree traversal code paths to prevent subtle but impactful resource leaks that can compromise system reliability over time.

Reservation

03/04/2024

Disclosure

03/25/2024

Moderation

accepted

CPE

ready

EPSS

0.00222

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!