CVE-2023-53094
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/05/2025
Last modified:
02/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
tty: serial: fsl_lpuart: fix race on RX DMA shutdown<br />
<br />
From time to time DMA completion can come in the middle of DMA shutdown:<br />
<br />
: :<br />
lpuart32_shutdown()<br />
lpuart_dma_shutdown()<br />
del_timer_sync()<br />
lpuart_dma_rx_complete()<br />
lpuart_copy_rx_to_tty()<br />
mod_timer()<br />
lpuart_dma_rx_free()<br />
<br />
When the timer fires a bit later, sport->dma_rx_desc is NULL:<br />
<br />
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004<br />
pc : lpuart_copy_rx_to_tty+0xcc/0x5bc<br />
lr : lpuart_timer_func+0x1c/0x2c<br />
Call trace:<br />
lpuart_copy_rx_to_tty<br />
lpuart_timer_func<br />
call_timer_fn<br />
__run_timers.part.0<br />
run_timer_softirq<br />
__do_softirq<br />
__irq_exit_rcu<br />
irq_exit<br />
handle_domain_irq<br />
gic_handle_irq<br />
call_on_irq_stack<br />
do_interrupt_handler<br />
...<br />
<br />
To fix this fold del_timer_sync() into lpuart_dma_rx_free() after<br />
dmaengine_terminate_sync() to make sure timer will not be re-started in<br />
lpuart_copy_rx_to_tty()
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/19a98d56dfedafb25652bdb9cd48a4e73ceba702
- https://git.kernel.org/stable/c/1be6f2b15f902c02e055ae0b419ca789200473c9
- https://git.kernel.org/stable/c/2a36b444cace9580380467fd1183bb5e85bcc80a
- https://git.kernel.org/stable/c/90530e7214c8a04dcdde57502d93fa96af288c38
- https://git.kernel.org/stable/c/954fc9931f0aabf272b5674cf468affdd88d3a36