CVE-2022-48867

On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxddmaenginedrvremove() -> drvdisablewq() -> idxdwqfreeirq() -> idxdflushpending_descs().

If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below:

BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page

The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drvdisablewq()->idxdwqfree_resources()

Fix the use after free by freeing the descriptors after any possible usage. This is done after idxdwqreset() to ensure that the memory remains accessible during possible completion writes by the device.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

63c14ae6c161dec8ff3be49277edc75a769e054a

Fixed

b9e8e3fcfec625fc1c2f68f684448aeeb882625b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

63c14ae6c161dec8ff3be49277edc75a769e054a

Fixed

1beeec45f9ac31eba52478379f70a5fa9c2ad005

Affected versions

v5.*

v5.18

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.2-rc1

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1beeec45f9ac31eba52478379f70a5fa9c2ad005",
        "signature_version": "v1",
        "target": {
            "file": "drivers/dma/idxd/device.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "70397071730783706993078531103089424337",
                "45431566676435627049857648682328646244",
                "101983861966605248925229281985538035957",
                "71072880007358415307291838321677720536",
                "265285840925008625378251209769567087151",
                "45584614451150562716193811973635621958",
                "95668515298879601922961469716052922332",
                "311253163519943201646526125438047730914"
            ]
        },
        "id": "CVE-2022-48867-86306fb5"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b9e8e3fcfec625fc1c2f68f684448aeeb882625b",
        "signature_version": "v1",
        "target": {
            "file": "drivers/dma/idxd/device.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "70397071730783706993078531103089424337",
                "45431566676435627049857648682328646244",
                "101983861966605248925229281985538035957",
                "71072880007358415307291838321677720536",
                "265285840925008625378251209769567087151",
                "45584614451150562716193811973635621958",
                "95668515298879601922961469716052922332",
                "311253163519943201646526125438047730914"
            ]
        },
        "id": "CVE-2022-48867-bdff0ef6"
    }
]

CVE-2022-48867

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v5.*

v6.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges