Linux Kernel DMA Engine MMP PDMA Race Condition Vulnerability Leading to Use-After-Free

A race condition vulnerability has been identified in the Linux kernel's DMA engine, specifically within the MMP PDMA (Parallel DMA) driver. This vulnerability allows for a use-after-free condition when accessing the descriptor list and its contents. The issue arises because multiple threads can call the 'tx_status()' function simultaneously, while a tasklet on another CPU is in the process of freeing completed descriptors. The lack of proper locking mechanisms enables one thread to access a descriptor that has already been freed, leading to potential memory corruption or exploitation.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a thread accesses memory that has already been freed, potentially leading to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by running 'dmatest' on the same DMA channel with multiple threads (threads_per_chan greater than 1).

Remediation

The vulnerability has been addressed by adding proper locking in the 'mmp_pdma_residue()' function to synchronize access to the descriptor list and prevent the use-after-free condition. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.