| The vulnerability, identified as CVE-2021-47467, is a reference count leak in the `kfree_at_end()` function of the Linux kernel's KUnit testing framework. The issue arises when `kunit_alloc_and_get_resource()` is called, which forgets to handle the returned resource object, causing its reference count to increase and leading to a reference count leak. |
| |
| To fix this issue, the `kunit_alloc_resource()` function should be used instead of `kunit_alloc_and_get_resource()`. This change ensures that the reference count of the resource object is properly handled. The fix was implemented in commits bbdd158b40b6 (for kernel version 5.14.15) and f62314b1ced2 (for kernel version 5.15). |
| |
| The affected file is `lib/kunit/executor_test.c`. To mitigate this issue, the Linux kernel CVE team recommends updating to the latest stable kernel version, which includes this fix along with other bugfixes. Cherry-picking individual commits is not recommended or supported by the Linux kernel community. If updating to the latest release is impossible, the individual changes can be found in the specified commits. |
| |
