CVE-2023-54020

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: sf-pdma: pdma_desc memory leak fix<br /> <br /> Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a<br /> DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally<br /> allocate a new sf_pdma_desc each time it is called.<br /> <br /> The driver previously recycled descs, by checking the in_use flag, only<br /> allocating additional descs if the existing one was in use. This logic<br /> was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread<br /> support for a DMA channel"), but sf_pdma_free_desc() was not changed to<br /> handle the new behaviour.<br /> <br /> As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous<br /> descriptor is leaked, over time leading to memory starvation:<br /> <br /> unreferenced object 0xffffffe008447300 (size 192):<br /> comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................<br /> 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............<br /> backtrace:<br /> [] kmemleak_alloc+0x1e/0x28<br /> [] kmem_cache_alloc+0x11e/0x178<br /> [] sf_pdma_prep_dma_memcpy+0x40/0x112<br /> <br /> Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant<br /> in_use flag.