2.1 KiB
CVE-2024-26623
Description
In the Linux kernel, the following vulnerability has been resolved:pds_core: Prevent race issues involving the adminqThere are multiple paths that can result in using the pdsc'sadminq.[1] pdsc_adminq_isr and the resulting work from queue_work(), i.e. pdsc_work_thread()->pdsc_process_adminq()[2] pdsc_adminq_post()When the device goes through reset via PCIe reset and/ora fw_down/fw_up cycle due to bad PCIe state or bad devicestate the adminq is destroyed and recreated.A NULL pointer dereference can happen if [1] or [2] happensafter the adminq is already destroyed.In order to fix this, add some further state checks andimplement reference counting for adminq uses. Referencecounting was used because multiple threads can attempt toaccess the adminq at the same time via [1] or [2]. Additionally,multiple clients (i.e. pds-vfio-pci) can be using [2]at the same time.The adminq_refcnt is initialized to 1 when the adminq has beenallocated and is ready to use. Users/clients of the adminq(i.e. [1] and [2]) will increment the refcnt when they are usingthe adminq. When the driver goes into a fw_down cycle it willset the PDSC_S_FW_DEAD bit and then wait for the adminq_refcntto hit 1. Setting the PDSC_S_FW_DEAD before waiting will preventany further adminq_refcnt increments. Waiting for theadminq_refcnt to hit 1 allows for any current users of the adminqto finish before the driver frees the adminq. Once theadminq_refcnt hits 1 the driver clears the refcnt to signify thatthe adminq is deleted and cannot be used. On the fw_up cycle thedriver will once again initialize the adminq_refcnt to 1 allowingthe adminq to be used again.
POC
Reference
No PoCs from references.