Linux Kernel IPA Hashed Table Reset Vulnerability Leading to Transaction Underflow

A vulnerability in the Linux kernel's handling of GSI channel transactions can cause transaction reference count underflows during modem shutdown. This issue arises because unused transactions are incorrectly committed as part of the shutdown process, leading to reference count underflows. The problem is linked to a recent change that removed spinlock-protected linked lists in favor of using indexes in the ring buffer for channel management. The vulnerability specifically affects the IPA (Infrastructure Processing Architecture) component of the net subsystem.

Impact

The vulnerability can cause transaction reference count underflows, which may lead to memory management issues or other unintended behaviors in the system.

Reproduction

The vulnerability can be reproduced by managing GSI channel transactions in a way that triggers the modem shutdown process. During this process, the IPA-resident memory ranges are zeroed out, and a transaction is allocated to clear modem filter table entries. If hashing is not supported, this operation should not be performed, but the current implementation lacks the necessary checks, resulting in an unused transaction. Similar behavior occurs when routing table entries are cleared for the modem, creating another unused transaction.

Remediation

The vulnerability has been addressed by modifying the IPA table reset functions to check for hashing support before attempting to clear hashed table entries. Users can apply the latest patches available in the Linux kernel stable tree to mitigate this issue.