CVE-2023-53849

Vulnerability

Overview

The vulnerability is a workqueue leak in the MSM DRM (Direct Rendering Manager) driver for Qualcomm Adreno GPUs in the Linux kernel. When the driver's bind function encounters early errors—such as a subcomponent failing to bind—the allocated workqueue is not properly destroyed. This occurs because the error path does not include a call to destroy the workqueue, leading to a resource leak.

Root

Cause and Exploitation

The root cause is the missing workqueue cleanup in error paths of the bind function. The commit that introduced drm_mode_config_init with drmm_ (managed device resource) ensures the mode config is freed when the DRM device is released, but the workqueue itself is not tied to that mechanism. The patch adds explicit cleanup for consistency and to facilitate backporting [1]. An attacker would need to trigger a bind failure, which could be achieved through a malicious or malformed device tree or a faulty display subcomponent. No special privileges are required if the attacker can control the device configuration.

Potential

Impact

If the workqueue leak is repeated (e.g., by repeatedly binding and failing to bind the driver), the system could exhaust kernel memory or reach a limit on workqueue allocations, potentially causing a denial of service (DoS). However, the leak is limited to the workqueue structure and does not provide code execution or privilege escalation.

Mitigation

The patch [1] fixes the issue by adding an explicit destroy_workqueue() call in the bind error path. The fix has been applied to the Linux kernel stable branches. Users should update their kernel to include this patch or a later version that contains it. There is no known workaround other than avoiding triggering the error condition.