Description
In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock.
Product status
1b38da264674d6a0fe26a63996b8f88b88c3da48 (git) before 3f0e0e2d9e752570041e95fd04635e2580097819
1b38da264674d6a0fe26a63996b8f88b88c3da48 (git) before dfb5e05227745de43b7fd589721817a4337c970d
1b38da264674d6a0fe26a63996b8f88b88c3da48 (git) before eba0c75670c022cb1f948600db972524bcfe8166
1b38da264674d6a0fe26a63996b8f88b88c3da48 (git) before fc023b8fab057f0c910856ff36d3e12a30b7af4a
1b38da264674d6a0fe26a63996b8f88b88c3da48 (git) before 9f665b3c3d9a168410251f27a5d019b7bf93185c
1b38da264674d6a0fe26a63996b8f88b88c3da48 (git) before a143545855bc2c6e1330f6f57ae375ac44af00a7
3.16
Any version before 3.16
5.15.209 (semver)
6.1.167 (semver)
6.6.130 (semver)
6.12.78 (semver)
6.18.10 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/3f0e0e2d9e752570041e95fd04635e2580097819
git.kernel.org/...c/dfb5e05227745de43b7fd589721817a4337c970d
git.kernel.org/...c/eba0c75670c022cb1f948600db972524bcfe8166
git.kernel.org/...c/fc023b8fab057f0c910856ff36d3e12a30b7af4a
git.kernel.org/...c/9f665b3c3d9a168410251f27a5d019b7bf93185c
git.kernel.org/...c/a143545855bc2c6e1330f6f57ae375ac44af00a7