In the Linux kernel, the following vulnerability has been resolved:
pds_core: Prevent race issues involving the adminq
There are multiple paths that can result in using the pdsc's adminq.
[1] pdscadminqisr and the resulting work from queuework(), i.e. pdscworkthread()->pdscprocess_adminq()
[2] pdscadminqpost()
When the device goes through reset via PCIe reset and/or a fwdown/fwup cycle due to bad PCIe state or bad device state the adminq is destroyed and recreated.
A NULL pointer dereference can happen if [1] or [2] happens after the adminq is already destroyed.
In order to fix this, add some further state checks and implement reference counting for adminq uses. Reference counting was used because multiple threads can attempt to access the adminq at the same time via [1] or [2]. Additionally, multiple clients (i.e. pds-vfio-pci) can be using [2] at the same time.
The adminqrefcnt is initialized to 1 when the adminq has been allocated and is ready to use. Users/clients of the adminq (i.e. [1] and [2]) will increment the refcnt when they are using the adminq. When the driver goes into a fwdown cycle it will set the PDSCSFWDEAD bit and then wait for the adminqrefcnt to hit 1. Setting the PDSCSFWDEAD before waiting will prevent any further adminqrefcnt increments. Waiting for the adminqrefcnt to hit 1 allows for any current users of the adminq to finish before the driver frees the adminq. Once the adminqrefcnt hits 1 the driver clears the refcnt to signify that the adminq is deleted and cannot be used. On the fwup cycle the driver will once again initialize the adminqrefcnt to 1 allowing the adminq to be used again.