Linux Kernel QAIC Control Path DBC Deactivation Handling Vulnerability

A vulnerability exists in the Linux kernel's handling of Deactivation Bus Controller (DBC) resources within the QAIC (Qualcomm AI Compute) framework. When a DBC is released, the device sends a deactivation transaction to the host over the QAIC_CONTROL MHI channel. This transaction is processed by the QAIC management ioctl context. If the user disconnects before the deactivation is acknowledged, the host becomes misaligned with the available DBCs, causing the resources to remain allocated until the device is physically removed. Consequently, if another user activates a network, the same DBC is reassigned, leading to a deadlock as QAIC waits indefinitely for the DBC to be freed, causing the user process to hang. The vulnerability arises because the deactivation transactions are not properly handled if the user has already disconnected.

Impact

Failure to synchronize DBC deactivation can cause user processes to hang indefinitely, waiting for resources that are not freed until the device is removed.

Reproduction

The vulnerability can be reproduced by activating a network using a DBC, then disconnecting the user before the deactivation transaction is processed. This will leave the DBC resources allocated, causing any subsequent network activations to hang while waiting for the DBC to be freed.

Remediation

The vulnerability has been addressed by modifying the QAIC control path to properly handle deactivation transactions that arrive after the user has disconnected. Users can apply the latest patches available in the Linux kernel stable tree to mitigate this issue.