Linux Kernel MIPI I3C HCI RING_CTRL_ABORT DMA Dequeue Handling Vulnerability

A vulnerability in the Linux kernel's MIPI I3C Host Controller Interface (HCI) driver has been addressed. The issue arose from improper handling of the RING_CTRL_ABORT command during Direct Memory Access (DMA) operations. Several flaws were identified: the driver would issue a ring abort command even if the ring had already stopped, the mechanism for waiting for the abort operation to complete was not properly re-initialized, the abort sequence inadvertently disabled the RING_CTRL_ENABLE signal which is crucial for maintaining the correct state of hardware ring pointers, and the abort operation did not recognize when the ring was already stopped, leading to unnecessary actions. The vulnerability has been fixed by implementing a check to ensure the ring is active before issuing an abort, re-initializing the completion signal when necessary, keeping the RING_CTRL_ENABLE signal active during the abort process, and acknowledging an already stopped ring as a successful abort condition.

Impact

The vulnerability could lead to incorrect management of the DMA ring, potentially causing disruptions in the controller's operation by improperly resetting hardware ring pointers and interfering with the overall state of the controller.

Reproduction

The vulnerability can be reproduced by using the affected MIPI I3C HCI driver in a scenario where the DMA ring management is tested. The original flawed logic will be evident as the driver issues an abort command regardless of the ring's status, fails to properly synchronize the abort operation, and inadvertently disrupts the controller's state by clearing the RING_CTRL_ENABLE signal.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.