CVE-2024-26623

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pds_core: Prevent race issues involving the adminq<br /> <br /> There are multiple paths that can result in using the pdsc&amp;#39;s<br /> adminq.<br /> <br /> [1] pdsc_adminq_isr and the resulting work from queue_work(),<br /> i.e. pdsc_work_thread()-&gt;pdsc_process_adminq()<br /> <br /> [2] pdsc_adminq_post()<br /> <br /> When the device goes through reset via PCIe reset and/or<br /> a fw_down/fw_up cycle due to bad PCIe state or bad device<br /> state the adminq is destroyed and recreated.<br /> <br /> A NULL pointer dereference can happen if [1] or [2] happens<br /> after the adminq is already destroyed.<br /> <br /> In order to fix this, add some further state checks and<br /> implement reference counting for adminq uses. Reference<br /> counting was used because multiple threads can attempt to<br /> access the adminq at the same time via [1] or [2]. Additionally,<br /> multiple clients (i.e. pds-vfio-pci) can be using [2]<br /> at the same time.<br /> <br /> The adminq_refcnt is initialized to 1 when the adminq has been<br /> allocated and is ready to use. Users/clients of the adminq<br /> (i.e. [1] and [2]) will increment the refcnt when they are using<br /> the adminq. When the driver goes into a fw_down cycle it will<br /> set the PDSC_S_FW_DEAD bit and then wait for the adminq_refcnt<br /> to hit 1. Setting the PDSC_S_FW_DEAD before waiting will prevent<br /> any further adminq_refcnt increments. Waiting for the<br /> adminq_refcnt to hit 1 allows for any current users of the adminq<br /> to finish before the driver frees the adminq. Once the<br /> adminq_refcnt hits 1 the driver clears the refcnt to signify that<br /> the adminq is deleted and cannot be used. On the fw_up cycle the<br /> driver will once again initialize the adminq_refcnt to 1 allowing<br /> the adminq to be used again.