CVE-2023-54221
Description
In the Linux kernel, the following vulnerability has been resolved:
clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe
In function probe(), it returns directly without unregistered hws when error occurs.
Fix this by adding 'goto unregister_hws;' on line 295 and line 310.
Use devm_kzalloc() instead of kzalloc() to automatically free the memory using devm_kfree() when error occurs.
Replace of_iomap() with devm_of_iomap() to automatically handle the unused ioremap region and delete 'iounmap(anatop_base);' in unregister_hws.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak and missing error handling in the Linux kernel's i.MX93 clock driver can lead to resource exhaustion and system instability.
Vulnerability
Analysis
In the Linux kernel, the imx93_clocks_probe function in the clock driver for i.MX93 platforms contains two related defects: a memory leak and a missing error-handling goto that prevents proper cleanup. When an error occurs during probe (at specific lines), the function returns immediately without unregistering previously registered hardware clock instances (hws). Additionally, the function uses kzalloc() to allocate memory, which is not automatically freed on error paths, and uses of_iomap() for I/O mapping, which leaves a region mapped even after the function returns.[1]
The patch fixes these by: (1) adding a goto unregister_hws; on the error paths at lines 295 and 310 so that all registered clocks are properly unregistered before returning; (2) replacing kzalloc() with devm_kzalloc(), which uses the device-managed allocation API so that memory is automatically freed when the device is removed or an error occurs; (3) replacing of_iomap() with devm_of_iomap() so that the I/O mapping is automatically released, and removing the now-unnecessary iounmap(anatop_base) call from the unregister_hws label.[1]
Impact
An attacker who can trigger an error during the probe of the i.MX93 clock driver (for example, by causing a resource shortage or memory allocation failure) could cause the kernel to leak memory and retain I/O mappings. Over repeated triggers, this could lead to resource exhaustion, potentially causing a denial-of-service condition on the system. The vulnerability is exploitable only from a privileged local context or by using methods that force the driver to encounter an error – there is no remote attack vector without existing access.[1]
Mitigation
The fix has been applied in the Linux kernel stable commit d17c16a2b2a6. Users should update to a kernel version that includes this commit or a later stable release. No workarounds are publicly documented; the best mitigation is to apply the kernel update. This CVE does not appear on the CISA Known Exploited Vulnerabilities (KEV) list at publication time.[1]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
4280a5ff665e1fac9c624138cd17c16a2b2a6e02ba11b4576Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.