CVE-2023-54109

Overview

In the Linux kernel's Renesas rcar_fdp1 media driver, the functions rcar_fdp1_probe() and rcar_fdp1_remove() call rcar_fcp_get() to obtain a reference to the functional clock and power-management (FCP) device. However, the corresponding rcar_fcp_put() call was missing along error paths in the probe function and in the remove function, causing a refcount leak.

Exploitation

This vulnerability is triggered when probing the rcar_fdp1 driver fails or when the driver is removed. An attacker with the ability to repeatedly cause the driver to load or unload—or to trigger probe failures—could cause the kernel to leak references. The leak does not require any special permissions beyond the ability to interact with the driver's device lifecycle (e.g., hotplugging, module load/unload).

Impact

Over time, repeated exploitation of this refcount leak can lead to memory exhaustion or resource starvation, because the underlying FCP hardware block is not properly released. This could lead to denial-of-service conditions on systems using the Renesas R-Car Gen3 display pipeline.

Mitigation

The fix adds the missing rcar_fcp_put() calls in both the error paths of fdp1_probe() and in fdp1_remove(). The patch has been applied to the stable kernel trees as indicated by the referenced commits [1], [2], and [3]. Users should update their kernels to include this fix.