Bug 2419839 (CVE-2023-53746)

Summary: CVE-2023-53746 kernel: s390/vfio-ap: fix memory leak in vfio_ap device driver
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
In the s390 VFIO-AP driver, memory allocated for the vfio_matrix_dev structure is never released during device cleanup. The release callback incorrectly uses dev_get_drvdata() to locate the object, but since it was never stored there, the function returns NULL and kfree() silently accepts it. The correct approach requires container_of() to retrieve the enclosing structure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-08 07:02:28 UTC 
In the Linux kernel, the following vulnerability has been resolved:

s390/vfio-ap: fix memory leak in vfio_ap device driver

The device release callback function invoked to release the matrix device
uses the dev_get_drvdata(device *dev) function to retrieve the
pointer to the vfio_matrix_dev object in order to free its storage. The
problem is, this object is not stored as drvdata with the device; since the
kfree function will accept a NULL pointer, the memory for the
vfio_matrix_dev object is never freed.

Since the device being released is contained within the vfio_matrix_dev
object, the container_of macro will be used to retrieve its pointer.
Comment 1 Alexander B 2025-12-10 11:04:37 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120841-CVE-2023-53746-cbfd@gregkh/T