Linux Kernel Device Node Use-After-Free Vulnerability in Tegra Video Media Staging

A use-after-free vulnerability has been identified in the Linux kernel's Tegra video media staging area. This issue arises during the initialization of the CSI (Camera Serial Interface) channels. The vulnerability occurs when a pointer to a device node is saved without proper reference counting, allowing the node to be freed while still in use, which can lead to undefined behavior or exploitation.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

To reproduce this vulnerability, load a Tegra video driver that interacts with CSI channels. During the channel allocation process, the driver saves a pointer to the channel's device node without incrementing the reference count. This oversight allows the node to be freed while still referenced, creating a use-after-free condition when the channel is later initialized.

Remediation

The vulnerability has been addressed by modifying the channel allocation process to properly manage the reference count of the device node, ensuring it is not freed while still in use.