Linux Kernel NULL Pointer Dereference Vulnerability in DRM MSM Drivers

A vulnerability in the Linux kernel's DRM MSM drivers can lead to a NULL pointer dereference, causing a kernel panic. This issue arises because the .remove and .shutdown callbacks, which are supposed to manage hardware shutdowns, are not consistent. The .remove callback properly shuts down the hardware only if the DRM device is registered, a check that the .shutdown callback lacks. As a result, if expected sub-device drivers fail to probe, the .shutdown callback may attempt to deactivate a DRM device that hasn't been initialized, leading to a NULL pointer dereference and a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a system crash.

Reproduction

The vulnerability can be reproduced by shutting down a system with a DRM device that has not been properly initialized. This can occur if the drivers for expected sub-devices fail to load, preventing the necessary initialization before the shutdown process begins. During the shutdown, the .shutdown callback is invoked, which calls drm_atomic_helper_shutdown() for the uninitialized DRM device. This operation attempts to access mutexes that were never set up, resulting in a NULL pointer dereference.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation.