Reinette Chatre

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability exists in the Linux kernel where the eventfd for INTx signaling can be deconfigured, which unregisters the IRQ handler but still allows eventfds to be signaled with a NULL context through the SET IRQS ioctl or through unmask irqfd if the device interrupt is pending. This issue can be solved with additional locking, but the current solution moves configuration of the INTx interrupt handler to track the lifetime of the INTx context object and irq type configuration. Synchronization is added between the ioctl path and eventfd signal() wrapper to dynamically update the eventfd trigger relative to in-flight interrupts or irqfd callbacks. The vulnerability may allow an attacker to cause a denial of service (DoS). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a synchronization problem in the Linux kernel's vfio component, which can cause a race condition between interrupt configuration changes via ioctl and mask operations through config space changes to DisINTx. This can lead to an interruption configuration change when DisINTx is cleared from config space. The problem is resolved by creating wrappers that add locking for paths outside of the core interrupt code, ensuring that irq type is updated while holding igate, and testing is intx() requires holding igate. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the workqueue enabling process in the Linux kernel. When the driver is removed, it assumes that the workqueue was enabled successfully and attempts to free allocations made during workqueue enabling. However, if the workqueue enabling fails, the driver can still be loaded, and this can lead to problematic flows. For example, if `idxd wq request irq()` fails, `idxd wq unmap portal()` is called on the error exit path, but `drv enable wq()` returns 0 because `idxd wq disable()` succeeds. This allows the driver to be loaded successfully, but it can trigger a WARN in `devm iounmap()` when the driver is unloaded. Another example is when `idxd wq request irq()` fails, and `idxd wq init percpu ref()` is never called to initialize the percpu counter, yet the driver loads successfully because `drv enable wq()` returns 0. This can trigger a BUG when attempting to drop the initial ref of the uninitialized percpu ref. The fix involves returning the original error that indicates failure of workqueue enabling in the `drv enable wq()` error path. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the Linux kernel's dmaengine subsystem, specifically in the idxd driver. When the driver is unloaded, any pending descriptors are flushed, which can trigger a "not present" page fault if the descriptors have already been freed. This is caused by the flow of functions: idxd dmaengine drv remove() -> drv disable wq() -> idxd wq free irq() -> idxd flush pending descs(). The address that triggers the fault is the address of the descriptor that was freed moments earlier via drv disable wq()->idxd wq free resources(). The fix involves freeing the descriptors after any possible usage, done after idxd wq reset() to ensure the memory remains accessible during possible completion writes by the device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.