Description
In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Handle DBC deactivation if the owner went away When a DBC is released, the device sends a QAIC_TRANS_DEACTIVATE_FROM_DEV transaction to the host over the QAIC_CONTROL MHI channel. QAIC handles this by calling decode_deactivate() to release the resources allocated for that DBC. Since that handling is done in the qaic_manage_ioctl() context, if the user goes away before receiving and handling the deactivation, the host will be out-of-sync with the DBCs available for use, and the DBC resources will not be freed unless the device is removed. If another user loads and requests to activate a network, then the device assigns the same DBC to that network, QAIC will "indefinitely" wait for dbc->in_use = false, leading the user process to hang. As a solution to this, handle QAIC_TRANS_DEACTIVATE_FROM_DEV transactions that are received after the user has gone away.
Product status
129776ac2e38231fa9c02ce20e116c99de291666 (git) before 2dd67966f39a2abf8ccb4865031c722e40e01b7f
129776ac2e38231fa9c02ce20e116c99de291666 (git) before 08021f2d4a557d6491e3bcc288e96425f50aa3cf
129776ac2e38231fa9c02ce20e116c99de291666 (git) before f403094d9075d7c565a3d81002b781c325cb3c07
129776ac2e38231fa9c02ce20e116c99de291666 (git) before ee0180e77e6c8482644569632065411de844c515
129776ac2e38231fa9c02ce20e116c99de291666 (git) before 2feec5ae5df785658924ab6bd91280dc3926507c
6.4
Any version before 6.4
6.6.134 (semver)
6.12.81 (semver)
6.18.22 (semver)
6.19.12 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/2dd67966f39a2abf8ccb4865031c722e40e01b7f
git.kernel.org/...c/08021f2d4a557d6491e3bcc288e96425f50aa3cf
git.kernel.org/...c/f403094d9075d7c565a3d81002b781c325cb3c07
git.kernel.org/...c/ee0180e77e6c8482644569632065411de844c515
git.kernel.org/...c/2feec5ae5df785658924ab6bd91280dc3926507c