CVE-2024-40970

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Avoid hw_desc array overrun in dw-axi-dmac<br /> <br /> I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3<br /> segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()<br /> handles the hw_desc considering the descs_allocated, this scenario would result in a<br /> kernel panic (hw_desc array will be overrun).<br /> <br /> To fix this, the proposal is to add a new member to the axi_dma_desc structure,<br /> where we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in<br /> axi_desc_put() to handle the hw_desc array correctly.<br /> <br /> Additionally I propose to remove the axi_chan_start_first_queued() call after completing<br /> the transfer, since it was identified that unbalance can occur (started descriptors can<br /> be interrupted and transfer ignored due to DMA channel not being enabled).