CVE-2022-48867

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: idxd: Prevent use after free on completion memory<br /> <br /> On driver unload any pending descriptors are flushed at the<br /> time the interrupt is freed:<br /> idxd_dmaengine_drv_remove() -&gt;<br /> drv_disable_wq() -&gt;<br /> idxd_wq_free_irq() -&gt;<br /> idxd_flush_pending_descs().<br /> <br /> If there are any descriptors present that need to be flushed this<br /> flow triggers a "not present" page fault as below:<br /> <br /> BUG: unable to handle page fault for address: ff391c97c70c9040<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> <br /> The address that triggers the fault is the address of the<br /> descriptor that was freed moments earlier via:<br /> drv_disable_wq()-&gt;idxd_wq_free_resources()<br /> <br /> Fix the use after free by freeing the descriptors after any possible<br /> usage. This is done after idxd_wq_reset() to ensure that the memory<br /> remains accessible during possible completion writes by the device.