Linux Kernel DMA Engine IDXD Improper Memory Management Vulnerability

A vulnerability in the Linux kernel's DMA engine IDXD driver has been addressed. The issue arose from an improper call to 'idxd_free()', which created a duplicate 'put_device()' operation. This led to a reference count underflow, causing a use-after-free condition. The problem was particularly pronounced when the 'CONFIG_DEBUG_KOBJECT_RELEASE' option was enabled, as it could trigger asynchronous device cleanup, potentially leading to memory corruption when the IDXD module was unloaded.

Impact

The vulnerability could cause a use-after-free condition, allowing for memory corruption during the IDXD module's removal process.

Reproduction

The vulnerability can be reproduced by unloading the IDXD module with 'CONFIG_DEBUG_KOBJECT_RELEASE' enabled. This will trigger the asynchronous cleanup of the device, and if 'idxd_free()' is called immediately afterward, it will result in a use-after-free condition.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed.