Linux Kernel PCI Designware Endpoint MSI-X Write Flush Vulnerability

A vulnerability exists in the Linux kernel's PCI Designware endpoint driver, specifically in how it handles MSI-X interrupts. The issue arises because the function dw_pcie_ep_raise_msix_irq() sends an MSI-X interrupt to the host using a posted write transaction. Since posted writes do not have a completion acknowledgment, this can lead to a race condition. The function unmaps the outbound Address Translation Unit (ATU) entry used for the write before the write has completed, potentially corrupting host memory or causing IOMMU errors. This vulnerability has been observed when running the 'fio' tool with a large queue depth against 'nvmet-pci-epf', where IOMMU errors were reported.

Impact

Exploitation of this vulnerability can lead to corruption of host memory or IOMMU errors, such as unprivileged data write faults.

Reproduction

The vulnerability can be reproduced by using the 'fio' tool with a larger queue depth against 'nvmet-pci-epf'. This will trigger the IOMMU errors associated with the vulnerability.

Remediation

The vulnerability has been addressed in the Linux kernel. Users can upgrade to the latest version to apply the fix.