Pavankumar Kondeti

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the mapping of shared memory in the Linux kernel, specifically in the soc: qcom: cmd-db component. The problem arises when the XPU falsely detects clean cache eviction as a "write" into the write-protected region, leading to a secure interrupt and an endless loop in the Trust Zone. This occurs because the Qualcomm Hypervisor maps the region as Non-Cacheable memory in Stage 2 translation tables, but other hypervisors like Xen or KVM do not know about these specific mappings. The patch fixes the issue by updating the mapping of cmd-db memory from MEMREMAP WB to MEMREMAP WT/WC, removing the dependency on correct mappings in Stage 2 tables. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to command ring pointer corruption while aborting a command in the Linux kernel. The command ring pointer is located at [6:63] bits of the command ring control register (CRCR), and control bits like command stop and abort are located at [0:3] bits. When aborting a command, the CRCR is read, the abort bit is set, and then written to the CRCR. However, since the 64-bit write is split into two 32-bit writes, there is a possibility that the xHC command ring is stopped before the upper dword (all zeros) is written, causing xHC to update its internal command ring pointer with all zeros. This results in memory access failures when the command ring is restarted. The issue is fixed by only writing to the lower dword of CRCR where all control bits are located. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.