Fenghua Yu

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the unnecessary destruction of `file ida` in the Linux kernel, specifically in the `dmaengine` subsystem. This can lead to accessing an id in `file ida` after it has been destroyed, resulting in a kernel panic. The problem occurs because `ida free()` in `cdev` release may happen after the destruction of `file ida` per WQ `cdev`. **Recommendations** To address this issue, remove the `ida destroy(&file ida)` call to prevent unnecessary destruction of `file ida`. Update to a version of the Linux kernel that includes this fix, such as version 6.6.37 or later.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the Linux kernel's dmaengine subsystem, specifically in the idxd driver. When the driver is unloaded, any pending descriptors are flushed, which can trigger a "not present" page fault if the descriptors have already been freed. This is caused by the flow of functions: idxd dmaengine drv remove() -> drv disable wq() -> idxd wq free irq() -> idxd flush pending descs(). The address that triggers the fault is the address of the descriptor that was freed moments earlier via drv disable wq()->idxd wq free resources(). The fix involves freeing the descriptors after any possible usage, done after idxd wq reset() to ensure the memory remains accessible during possible completion writes by the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.