CVE-2024-26787 in Linux
Summary
by MITRE • 04/04/2024
In the Linux kernel, the following vulnerability has been resolved:
mmc: mmci: stm32: fix DMA API overlapping mappings warning
Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning:
DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320
DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced.
If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/04/2025
The vulnerability identified as CVE-2024-26787 affects the Linux kernel's multimedia card interface driver specifically within the stm32 variant of the mmci-pl18x controller. This issue manifests when the DMA API debugging feature is enabled through the CONFIG_DMA_API_DEBUG_SG kernel configuration option, triggering a warning message that indicates overlapping DMA mappings are not supported. The warning originates from the kernel's DMA debugging subsystem and points to the mmci-pl18x driver as the source of the problem, specifically highlighting that cache line tracking has encountered an EEXIST error, which indicates a duplicate mapping attempt.
The technical flaw stems from an imbalance in the DMA mapping operations within the driver's error handling path. When the mmci_cmd_irq function encounters an error condition, it invokes the mmci_dma_error function to handle the error, but this error handling routine does not properly invoke the corresponding dma_unmap_sg function call. This creates a scenario where DMA mappings are established through dma_map_sg but never properly released through dma_unmap_sg, leading to what is known as a DMA mapping leak. The issue is particularly significant because it affects the stm32 variant of the mmci driver, which is used in specific hardware platforms such as the STMicroelectronics STM32MP257F-EV1 Evaluation Board, making it a platform-specific concern rather than a generic kernel issue.
The operational impact of this vulnerability extends beyond simple warning messages, as it represents a potential resource leak that could degrade system performance over time. The DMA mapping leak occurs when error paths in the driver's command processing are executed, particularly during tuning operations that involve SDMMC controllers. This behavior can lead to exhaustion of DMA mapping resources, potentially causing system instability or failure to properly handle subsequent DMA operations. The vulnerability affects the reliability of the multimedia card subsystem and could impact storage operations on devices using the affected hardware platform, particularly those relying on the STM32 series processors for embedded multimedia card interfaces.
The fix for this vulnerability involves ensuring proper balancing of DMA mapping operations by modifying the error handling path in the mmci driver to correctly invoke dma_unmap_sg when errors occur during command processing. This aligns with the established principle in kernel development that every dma_map_sg operation must have a corresponding dma_unmap_sg operation, regardless of whether the operation succeeds or fails. The solution addresses the root cause by ensuring that the DMA debugging subsystem properly tracks these mappings and prevents the accumulation of leaked mappings that could eventually lead to resource exhaustion. This fix demonstrates the importance of proper resource management in kernel drivers and the potential consequences of improper error handling in critical system components, particularly those involving DMA operations that are fundamental to device I/O functionality.
This vulnerability relates to CWE-121, which covers buffer overflow conditions in kernel space, and represents a resource leak scenario that could potentially lead to denial of service conditions. The ATT&CK framework would categorize this under privilege escalation through kernel vulnerabilities, as improper DMA handling could be exploited to gain elevated privileges or cause system instability. The fix ensures proper adherence to the kernel's DMA API usage patterns and maintains the integrity of the kernel's memory management subsystem, particularly concerning the DMA debugging infrastructure that is designed to detect such resource management issues during development and testing phases.