Jarkko Nikula

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.74 Description: A vulnerability in the Linux kernel has been resolved. The issue is related to the bus cleanup path in DMA mode, which may trigger a RING OP STAT interrupt when the ring is being stopped. Depending on the timing between the ring stop request completion, interrupt handler removal, and code execution, this may lead to a NULL pointer dereference in `hci dma irq handler()` if it gets to run after the `io data` pointer is set to NULL in `hci dma cleanup()`. This is prevented by masking the ring interrupts before the ring stop request. Recommendations: For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider disabling the `hci dma irq handler()` function until a patch is available. Restrict access to the vulnerable `mipi-i3c-hci` module to minimize the risk of exploitation. Avoid using the `io data` pointer in the affected `hci dma cleanup()` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an out of bounds access in the `hci dma irq handler()` function. This occurs when looping over ring headers that are not allocated and enabled in `hci dma init()`, resulting in out of bounds access from `rings->headers[i]` access when `i` is greater than or equal to the number of allocated ring headers. The function `hci dma irq handler()` is vulnerable due to this improper handling. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.