Linux Kernel DMA Engine Multithreaded Channel Use Vulnerability Causes System Hang

A vulnerability in the Linux kernel's DMA engine, specifically within the sf-pdma component, allows for improper multithreaded use of DMA channels. This issue can lead to a system hang and a kernel NULL pointer dereference, causing a crash. The vulnerability arises from a data race where multiple threads overwrite a channel's descriptor, leading the driver to mistakenly believe it is using the correct descriptor when it has actually been freed or replaced. The problem can be reproduced by configuring the dmatest module to use multiple threads per channel and running a test that iterates through the DMA process, which triggers the race condition and subsequent system failure.

Impact

Exploitation of this vulnerability causes a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by loading the dmatest module and setting the 'threads_per_chan' parameter to 64, the 'iterations' parameter to 10000, and then starting the test. This configuration causes multiple threads to simultaneously access and modify the DMA channel descriptors, leading to a crash.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been addressed.