| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122433-CVE-2023-54020-3f2f@gregkh>
Date: Wed, 24 Dec 2025 11:57:04 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-54020: dmaengine: sf-pdma: pdma_desc memory leak fix
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: sf-pdma: pdma_desc memory leak fix
Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a
DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally
allocate a new sf_pdma_desc each time it is called.
The driver previously recycled descs, by checking the in_use flag, only
allocating additional descs if the existing one was in use. This logic
was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread
support for a DMA channel"), but sf_pdma_free_desc() was not changed to
handle the new behaviour.
As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous
descriptor is leaked, over time leading to memory starvation:
unreferenced object 0xffffffe008447300 (size 192):
comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s)
hex dump (first 32 bytes):
00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................
00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p.............
backtrace:
[<00000000064a04f4>] kmemleak_alloc+0x1e/0x28
[<00000000018927a7>] kmem_cache_alloc+0x11e/0x178
[<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112
Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant
in_use flag.
The Linux kernel CVE team has assigned CVE-2023-54020 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.15.61 with commit 5ab2782c944e324008ef5d658f2494a9f0e3c5ac and fixed in 5.15.99 with commit ad222c9af25e3f074c180e389b3477dce42afc4f
Issue introduced in 6.0 with commit b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc and fixed in 6.1.16 with commit 03fece43fa109beba7cc9948c02f5e2d1205d607
Issue introduced in 6.0 with commit b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc and fixed in 6.2.3 with commit 8bd5040bd43f2b5ba3c898b09a3197a0c7ace126
Issue introduced in 6.0 with commit b2cc5c465c2cb8ab697c3fd6583c614e3f6cfbcc and fixed in 6.3 with commit b02e07015a5ac7bbc029da931ae17914b8ae0339
Issue introduced in 5.10.137 with commit b9b4992f897be9b0b9e3a3b956cab6b75ccc3f11
Issue introduced in 5.18.18 with commit 4c7350b1dd8a192af844de32fc99b9e34c876fda
Issue introduced in 5.19.2 with commit a93b3f1e11971a91b6441b6d47488f4492cc113f
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-54020
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/dma/sf-pdma/sf-pdma.c
drivers/dma/sf-pdma/sf-pdma.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/ad222c9af25e3f074c180e389b3477dce42afc4f
https://git.kernel.org/stable/c/03fece43fa109beba7cc9948c02f5e2d1205d607
https://git.kernel.org/stable/c/8bd5040bd43f2b5ba3c898b09a3197a0c7ace126
https://git.kernel.org/stable/c/b02e07015a5ac7bbc029da931ae17914b8ae0339
Powered by blists - more mailing lists