HIGH Published 2026-05-08

i3c DmaRing Race

CVE-2026-43352

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI4.7MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts the controller state. 4. If the ring is already stopped, the abort operation should be considered successful without attempting further action. Fix the abort handling by checking whether the ring is running before issuing an abort, re-initializing the completion when needed, ensuring that RING_CTRL_ENABLE remains asserted during abort, and treating an already stopped ring as a successful condition.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

Systems with I3C hardware using the MIPI I3C HCI driver are vulnerable to race conditions in DMA ring abort handling that can cause hardware state corruption and system instability. The vulnerability requires root privileges and physical I3C hardware to exploit.

Affecteddrivers/i3c/master/mipi-i3c-hci/dma.c (I3C HCI driver)

Vulnerability analysis

The vulnerability stems from improper synchronization in the DMA ring abort sequence within the MIPI I3C HCI driver. The original code unconditionally issued ring aborts without checking hardware state, failed to reinitialize completion objects leading to incorrect wait behavior, and inadvertently cleared the RING_CTRL_ENABLE bit which reset hardware pointers. This creates race conditions between software state management and hardware operations that can corrupt the DMA ring state and cause system instability. The fix adds proper state checking, completion reinitialization, and preserves critical control bits during abort operations.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.19	`003df94bcc92`
6.19	6.19.9	`5549611888f5`
mainline	7.0	`b795e68bf307`