Linux Kernel NVMe PCI Driver DMA Unmapping Vulnerability

A vulnerability in the Linux kernel's NVMe PCI driver relates to improper handling of device DMA unmapping requirements, which can lead to a NULL dereference. This issue arises when the initial state of 'dma_needs_unmap' changes mid-iteration, particularly when SWIOTLB is enabled. The driver must allocate and save mapped DMA vectors for later unmapping, rather than assuming they were pre-allocated. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a NULL dereference, leading to a crash or instability in the system.

Reproduction

The vulnerability can be reproduced by using the NVMe PCI driver with a device that has dynamic DMA unmapping requirements. This can be simulated by enabling SWIOTLB, which alters the DMA unmapping behavior. During the data iteration process, the driver will encounter an uninitialized DMA vector, causing a NULL dereference.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.