CVE-2022-50545 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
r6040: Fix kmemleak in probe and remove
There is a memory leaks reported by kmemleak:
unreferenced object 0xffff888116111000 (size 2048): comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s) hex dump (first 32 bytes): 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................ 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffff827e20ee>] phy_device_create+0x4e/0x90
[<ffffffff827e6072>] get_phy_device+0xd2/0x220
[<ffffffff827e7844>] mdiobus_scan+0xa4/0x2e0
[<ffffffff827e8be2>] __mdiobus_register+0x482/0x8b0
[<ffffffffa01f5d24>] r6040_init_one+0x714/0xd2c [r6040]
...
The problem occurs in probe process as follows: r6040_init_one: mdiobus_register mdiobus_scan <- alloc and register phy_device, the reference count of phy_device is 3 r6040_mii_probe phy_connect <- connect to the first phy_device, so the reference count of the first phy_device is 4, others are 3 register_netdev <- fault inject succeeded, goto error handling path
// error handling path err_out_mdio_unregister: mdiobus_unregister(lp->mii_bus); err_out_mdio: mdiobus_free(lp->mii_bus); <- the reference count of the first phy_device is 1, it is not released and other phy_devices are released // similarly, the remove process also has the same problem
The root cause is traced to the phy_device is not disconnected when removes one r6040 device in r6040_remove_one() or on error handling path after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet device is connected to the first PHY device of mii_bus, in order to notify the connected driver when the link status changes, which is the default behavior of the PHY infrastructure to handle everything. Therefore the phy_device should be disconnected when removes one r6040 device or on error handling path.
Fix it by adding phy_disconnect() when removes one r6040 device or on error handling path after r6040_mii probed successfully.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/20/2026
The vulnerability identified as CVE-2022-50545 represents a memory leak in the Linux kernel's r6040 network driver implementation that manifests through the kmemleak subsystem. This issue occurs during the device probe and removal processes, specifically affecting the management of phy_device structures within the MDIO bus framework. The memory leak arises from improper reference counting and resource cleanup operations when the r6040 driver handles network interface initialization and error recovery scenarios. The problem is particularly significant as it involves kernel memory management where unreferenced objects persist in memory, potentially leading to resource exhaustion over time. The vulnerability demonstrates a classic case of improper resource management in kernel space, where allocated structures are not properly released due to missing cleanup operations during error handling paths.
The technical flaw stems from the driver's failure to properly disconnect PHY devices during device removal or error handling scenarios. During normal operation, the r6040_init_one function initializes the MDIO bus and scans for PHY devices, creating multiple references to these structures. When r6040_mii_probe executes successfully, it connects the network device to the first PHY device, increasing its reference count from 3 to 4. However, when errors occur during register_netdev execution or during device removal, the driver fails to call phy_disconnect() on the connected PHY device. This omission leaves the first PHY device with a reference count of 1, preventing its proper deallocation while other PHY devices in the same bus are correctly freed. The backtrace clearly shows the memory allocation path through kmalloc_trace, phy_device_create, and the MDIO bus registration chain, ultimately pointing to the r6040 driver's probe function as the source of the issue.
The operational impact of this vulnerability extends beyond simple memory consumption, as it represents a potential vector for denial of service conditions in kernel space. When multiple r6040 devices are probed or when the driver experiences repeated error conditions, the accumulation of unreferenced PHY device structures can lead to progressive memory exhaustion. This type of memory leak is particularly concerning in embedded systems or environments where kernel memory is constrained, as it can gradually degrade system performance or cause system instability. The vulnerability affects the kernel's memory management subsystem and can be exploited through repeated device probe operations or through device removal sequences that trigger the error handling paths. The issue is classified under CWE-401 as a failure to release memory, specifically manifesting as a memory leak in kernel memory allocation contexts.
The mitigation strategy for this vulnerability involves implementing proper PHY device disconnection in both normal removal paths and error handling scenarios. The fix requires adding phy_disconnect() calls in the r6040_remove_one function and in the error handling paths of r6040_init_one after successful r6040_mii_probe execution. This approach ensures that all references to PHY devices are properly released, allowing the kernel's memory management subsystem to reclaim the allocated resources. The solution aligns with ATT&CK framework techniques related to privilege escalation and system resource exhaustion, as it addresses a kernel-level memory management flaw that could be exploited to consume system resources. The fix must be applied consistently across all code paths where PHY devices are connected but not properly disconnected, ensuring complete reference count management throughout the driver's lifecycle. This vulnerability demonstrates the critical importance of proper resource cleanup in kernel drivers, particularly when dealing with complex subsystem interactions such as the MDIO bus and PHY device management infrastructure.