Linux Kernel Qcom ADM Driver Calling Convention Vulnerability Leading to Kernel Panic

A vulnerability exists in the Linux kernel's Qcom ADM DMA engine driver, specifically in versions 5.11 and later. The issue arises because the driver does not adhere to the correct calling convention for the 'prep_slave_sg' function, which is to return NULL on error and log the error. Instead, it returns an error pointer. This miscommunication can indirectly cause a kernel panic, particularly with the NAND controller driver, which only checks if the returned pointer is not NULL. The NAND driver mistakenly interprets the erroneous pointer as a successful operation, leading to a crash later in the execution. While the NAND driver experiences the panic, the root cause is the Qcom ADM driver’s failure to follow the established calling convention.

Impact

The improper handling of error conditions in the Qcom ADM driver can lead to kernel panics when the NAND controller driver is used, causing system instability and crashes.

Reproduction

The vulnerability can be reproduced by using the Qcom ADM DMA engine driver in conjunction with the NAND controller driver. The NAND controller will check the return value of the 'prep_slave_sg' function. If an error occurs, the Qcom ADM driver will return an error pointer instead of NULL, causing the NAND controller to incorrectly assume the operation was successful. This discrepancy will lead to a kernel panic when the NAND controller attempts to proceed with the operation.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.