cxl: Fix a memory leak in an error handling path

Vulnerability

A memory leak exists in the Linux kernel's CXL (Coherent Accelerator Interface) driver, specifically in the afu_allocate_irqs() function. The function uses bitmap_zalloc() to allocate a bitmap, but the error handling path does not free this allocation when a subsequent operation fails. According to the fix commit [1], a matching bitmap_free() call is required. The issue affects Linux kernel versions prior to the inclusion of commit c2c7a29f99788e9e5dfe41d16868ea33da7cc235. The exact version range is not specified in the available references, but the vulnerability is present in any kernel containing the flawed error path.

Exploitation

An attacker would need to trigger a failure in the afu_allocate_irqs() function after the bitmap_zalloc() call has succeeded. This could conceivably be achieved by inducing an error in a subsequent allocation (e.g., kzalloc for an array of IRQ contexts) or by providing invalid parameters that cause an early return. The exploit likely requires local access to the system and the ability to interact with a CXL accelerator device, as the function is part of the CXL driver's initialization path. The precise prerequisites are not fully detailed in the available references.

Impact

Successful exploitation results in a kernel memory leak: each invocation of the error path that fails to free the bitmap permanently wastes a small amount of kernel memory. Repeated exploitation can exhaust system memory, leading to resource exhaustion and denial of service. The vulnerability does not directly allow privilege escalation or arbitrary code execution.

Mitigation

The fix is provided by Linux kernel commit c2c7a29f99788e9e5dfe41d16868ea33da7cc235, which adds the missing bitmap_free() in the error path. Users should update to a kernel version that includes this commit. As of the publication date (2025-06-18), the fix is present in stable kernel releases. No workaround is available; the only mitigation is to apply the patch or upgrade to a fixed kernel version.