CVE-2023-54225

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipa: only reset hashed tables when supported<br /> <br /> Last year, the code that manages GSI channel transactions switched<br /> from using spinlock-protected linked lists to using indexes into the<br /> ring buffer used for a channel. Recently, Google reported seeing<br /> transaction reference count underflows occasionally during shutdown.<br /> <br /> Doug Anderson found a way to reproduce the issue reliably, and<br /> bisected the issue to the commit that eliminated the linked lists<br /> and the lock. The root cause was ultimately determined to be<br /> related to unused transactions being committed as part of the modem<br /> shutdown cleanup activity. Unused transactions are not normally<br /> expected (except in error cases).<br /> <br /> The modem uses some ranges of IPA-resident memory, and whenever it<br /> shuts down we zero those ranges. In ipa_filter_reset_table() a<br /> transaction is allocated to zero modem filter table entries. If<br /> hashing is not supported, hashed table memory should not be zeroed.<br /> But currently nothing prevents that, and the result is an unused<br /> transaction. Something similar occurs when we zero routing table<br /> entries for the modem.<br /> <br /> By preventing any attempt to clear hashed tables when hashing is not<br /> supported, the reference count underflow is avoided in this case.<br /> <br /> Note that there likely remains an issue with properly freeing unused<br /> transactions (if they occur due to errors). This patch addresses<br /> only the underflows that Google originally reported.