HIGH
i3c DmaRing Race
CVE-2026-43353
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI4.8MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time. However, the function is not serialized and can race with itself. When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes incomplete transfers, and then restarts the ring. If another timeout triggers a parallel call into the same function, the two instances may interfere with each other - stopping or restarting the ring at unexpected times. Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to itself.
02KernelScan AI Analysis
Risk summary
Systems with I3C hardware are vulnerable to a race condition in DMA ring management that can cause system instability. The vulnerability requires physical access to I3C devices and precise timing to trigger simultaneous transfer timeouts. Impact includes potential kernel panic or I3C transfer corruption.
Vulnerability analysis
The hci_dma_dequeue_xfer() function lacks proper serialization when handling concurrent timeout scenarios. Multiple instances can race while stopping/restarting the DMA ring, leading to inconsistent hardware state. The fix adds a mutex to serialize ring control operations, preventing interference between concurrent timeout handlers. Attack surface is limited to systems with physical I3C hardware access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.19 | b684b420a5bb |
| 6.19 | 6.19.9 | 4faa1e9c67a2 |
| mainline | 7.0 | 1dca8aee80ee |