CVE-2022-49354: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49354 is a vulnerability discovered in the Linux kernel's PATA Octeon CF driver. The issue involves a reference count leak in the octeoncfprobe function where offinddevicebynode() takes a reference but fails to properly release it using put_device() when no longer needed (NVD). The vulnerability was publicly disclosed on February 26, 2025.

The vulnerability stems from a missing putdevice() call in the pataocteoncf driver's probe function. When offinddevicebynode() is called, it takes a reference count that should be released using putdevice() when no longer needed. The fix involves adding the missing putdevice() calls at appropriate error handling paths and cleanup sections to prevent the reference count leak (Kernel Commit). The issue was introduced in commit 43f01da0f279 which converted pataocteon_cf.c to use device tree.

The vulnerability results in a reference count leak in the Linux kernel's PATA Octeon CF driver. While the immediate impact is a resource leak, this could potentially lead to resource exhaustion over time if the affected code path is repeatedly triggered (Red Hat).

The vulnerability has been fixed by adding the missing put_device() calls in the affected code paths. The fix has been backported to various stable kernel versions. Users should update their Linux kernel to a patched version that includes the fix (Ubuntu).