Linux Kernel NAND Controller Locking Vulnerability

A vulnerability in the Linux kernel's handling of NAND controller operations can lead to conflicts on controllers that use multiple low-level PIO commands. The issue arises because the nand_lock() and nand_unlock() functions call into chip->ops.lock_area/unlock_area without holding the NAND device lock. This can create a race condition with concurrent UBI/UBIFS background erase/write operations that do hold the device lock, resulting in cmd_pending conflicts on the NAND controller.

Impact

The vulnerability can cause command pending conflicts on the affected NAND controller, disrupting normal operations and potentially leading to data corruption or loss.

Reproduction

The vulnerability can be reproduced on a NAND controller that implements the SET_FEATURES command via multiple low-level PIO operations. During the exploitation, concurrent UBI or UBIFS background erase or write operations that hold the NAND device lock can be initiated, creating a race condition with the unprotected lock/unlock operations.

Remediation

The vulnerability has been addressed by modifying the NAND lock and unlock functions to include calls to nand_get_device() and nand_release_device(), which serialize these operations against all other accesses to the NAND controller. Users should update to the latest version of the Linux kernel where this fix has been applied.