CVE-2021-47058 - How a Tiny Detail in Linux Kernel Memory Handling Could Cause a Memory Leak (And How It Was Fixed)

In March 2021, security researchers and Linux kernel developers found and fixed an interesting vulnerability in the Linux kernel’s _regmap_ subsystem. The bug (CVE-2021-47058) could lead to a memory leak when specific kernel code related to debug file systems was triggered. While this sounds very technical, a misunderstanding around one small variable — debugfs_name — was all it took for memory to be wasted and potentially open the door to greater problems over time.

This post will break down what happened, look at the vulnerable code, how the exploit works, and how it was finally solved. We’ll also give you links and references if you want to dig deeper into the original discussions.

What Part of Linux Was Vulnerable?

The problem was in the regmap core, which provides an abstraction layer for register maps (data structures used to talk to hardware registers in drivers). Drivers often create a debugfs entry to help with debugging, and every entry gets a name (the debugfs_name).

File exit: When cleaning up, the code was supposed to free the debugfs_name memory.

3. Re-create or re-initialize: Sometimes, regmap wants to re-init its debugfs entries—but a logic bug (introduced in a prior patch) made it so the name might not be set again, causing a problem when re-entering the init sequence.

What Was the Bug?

The issue starts with this commit:
https://github.com/torvalds/linux/commit/cffa4b2122f56af30db4cee1c256224739eef6d1

This commit added a new _if condition_ to avoid creating a new debugfs_name string if it already existed. On paper, that’s a memory optimization. But the cleanup code (regmap_debugfs_exit()) freed the debugfs_name — without setting the pointer to NULL.

This means that code thinking there’s a valid string there (because the pointer wasn’t NULL) would skip creating a new name. In reality, it became a _dangling pointer_ — a classic C mistake.

After that, a function call sequence like this

regmap_reinit_cache()
    regmap_debugfs_exit()
    ...
    regmap_debugfs_init()

would end up with no allocated debugfs_name, but the pointer would still not be NULL. That meant new memory wasn’t allocated — and the kernel might idle with a pointer to freed memory, causing leaks, or, in weird situations, undefined behavior.

Here’s a mock-up of what the code looked like before the patch, focusing on how the bug happens

// regmap_debugfs_init
if (!map->debugfs_name) {
    map->debugfs_name = kstrdup(dev_name(dev), GFP_KERNEL);
    // ... create debugfs entries ...
}

// regmap_debugfs_exit
kfree(map->debugfs_name);
// Oops! Did not set map->debugfs_name = NULL;

If you called init–exit–init multiple times, the first kstrdup() would be skipped after the pointer is freed but not set to NULL.

The Fix: Nullify the Pointer After Free

The upstream commit that fixed the bug is here:
https://github.com/torvalds/linux/commit/6785a5c436636496ed5a8c5bd87c9c18fb299b37

Here’s the essential change

// regmap_debugfs_exit
kfree(map->debugfs_name);
map->debugfs_name = NULL; // This line is key!

After freeing the memory, the pointer is reset, so the next initialization will detect it needs to allocate a new string.

This tiny line prevents the code from holding onto a pointer that doesn’t point to anything valid.

How Could Someone Exploit This?

While CVE-2021-47058 falls into a weird “might cause a memory leak or use-after-free” class, it’s not the sort of bug that allows instant remote code execution or local privilege escalation. But it can:

- Cause a memory leak if drivers are loaded/unloaded many times, potentially destabilizing the system after a long uptime.

Lead to undefined behavior or random crashes if some code path attempts to use the freed pointer.

*In rare cases,* if an attacker had local access and could predict the pointer reuse, this could develop into more severe problems — but, in practice, it’s mostly a stability/security-hardening issue.

Step-by-Step: Reproducing the Leak

While this isn’t a remote hack kind of bug, here’s how someone might see the memory leak (by doing what Linux driver authors do):

Unload the driver (triggers regmap_debugfs_exit()).

3. Reload the driver, which calls regmap_debugfs_init() — but now with a stale pointer, so it doesn’t create a new name.

`

cat /proc/meminfo

References & Original Reports

- CVE database entry (NVD)
- Mainline Patch Commit Adding the If Condition
- The Fix Commit (NULL after free)
- Linux mailing list discussion

Conclusion

Sometimes, the tiniest detail — like missing a line to set a pointer to NULL — can have major impacts on a huge project like the Linux kernel.
CVE-2021-47058 is a text-book example of why memory management in C is so error prone, and why careful code review and testing matter.

If you’re maintaining kernels, make sure you have this fix! And if you’re a systems or driver developer, let this serve as a gentle reminder:
> After freeing a pointer, *always* set it to NULL.

Even a small oversight can build up to headaches over time.


*Written by an exclusive AI—content created just for your question, with plain-language explanations.*

Timeline

Published on: 02/29/2024 23:15:07 UTC
Last modified on: 12/10/2024 17:54:27 UTC