{"id":"CVE-2024-40970","summary":"Avoid hw_desc array overrun in dw-axi-dmac","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nAvoid hw_desc array overrun in dw-axi-dmac\n\nI have a use case where nr_buffers = 3 and in which each descriptor is composed by 3\nsegments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()\nhandles the hw_desc considering the descs_allocated, this scenario would result in a\nkernel panic (hw_desc array will be overrun).\n\nTo fix this, the proposal is to add a new member to the axi_dma_desc structure,\nwhere we keep the number of allocated hw_descs (axi_desc_alloc()) and use it in\naxi_desc_put() to handle the hw_desc array correctly.\n\nAdditionally I propose to remove the axi_chan_start_first_queued() call after completing\nthe transfer, since it was identified that unbalance can occur (started descriptors can\nbe interrupted and transfer ignored due to DMA channel not being enabled).","modified":"2026-04-02T12:17:23.068800Z","published":"2024-07-12T12:32:08.788Z","related":["SUSE-SU-2024:2802-1","SUSE-SU-2024:2894-1","SUSE-SU-2024:2896-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40970.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/333e11bf47fa8d477db90e2900b1ed3c9ae9b697"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9004784e8d68bcd1ac1376407ba296fa28f04dbe"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd42570018f5962c10f215ad9c21274ed5d3541e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40970.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40970"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ef6fb2d6f1abd56cc067c694253ea362159b5ac3"},{"fixed":"7c3bb96a20cd8db3b8824b2ff08b6cde4505c7e5"},{"fixed":"dd42570018f5962c10f215ad9c21274ed5d3541e"},{"fixed":"e151ae1ee065cf4b8ce4394ddb9d9c8df6370c66"},{"fixed":"9004784e8d68bcd1ac1376407ba296fa28f04dbe"},{"fixed":"333e11bf47fa8d477db90e2900b1ed3c9ae9b697"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40970.json"}}],"schema_version":"1.7.5"}