CVE-2023-53094
02.05.2025, 16:15
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: fsl_lpuart: fix race on RX DMA shutdown
From time to time DMA completion can come in the middle of DMA shutdown:
<process ctx>: <IRQ>:
lpuart32_shutdown()
lpuart_dma_shutdown()
del_timer_sync()
lpuart_dma_rx_complete()
lpuart_copy_rx_to_tty()
mod_timer()
lpuart_dma_rx_free()
When the timer fires a bit later, sport->dma_rx_desc is NULL:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
pc : lpuart_copy_rx_to_tty+0xcc/0x5bc
lr : lpuart_timer_func+0x1c/0x2c
Call trace:
lpuart_copy_rx_to_tty
lpuart_timer_func
call_timer_fn
__run_timers.part.0
run_timer_softirq
__do_softirq
__irq_exit_rcu
irq_exit
handle_domain_irq
gic_handle_irq
call_on_irq_stack
do_interrupt_handler
...
To fix this fold del_timer_sync() into lpuart_dma_rx_free() after
dmaengine_terminate_sync() to make sure timer will not be re-started in
lpuart_copy_rx_to_tty() <= lpuart_dma_rx_complete().| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 3.18.9 ≤ 𝑥 < 3.19 |
| linux | linux_kernel | 3.19.1 ≤ 𝑥 < 5.10.177 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.105 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.23 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.2.8 |
| linux | linux_kernel | 6.3:rc1 |
| linux | linux_kernel | 6.3:rc2 |
𝑥
= Vulnerable software versions
Debian Releases
References