In the Linux kernel, the following vulnerability has been resolved:
Avoid hw_desc array overrun in dw-axi-dmac
I have a use case where nrbuffers = 3 and in which each descriptor is composed by 3 segments, resulting in the DMA channel descsallocated to be 9. Since axidescput() handles the hwdesc considering the descsallocated, this scenario would result in a kernel panic (hw_desc array will be overrun).
To fix this, the proposal is to add a new member to the axidmadesc structure, where we keep the number of allocated hwdescs (axidescalloc()) and use it in axidescput() to handle the hwdesc array correctly.
Additionally I propose to remove the axichanstartfirstqueued() call after completing the transfer, since it was identified that unbalance can occur (started descriptors can be interrupted and transfer ignored due to DMA channel not being enabled).