Linux Kernel Bulk Move Corruption Vulnerability in DRM/TTM Component

A vulnerability in the Linux kernel's Direct Rendering Manager (DRM) and TTM (Translation Table Maps) subsystem can lead to a null pointer dereference. This issue arises when a resource that is first in the bulk move range is added again, moving it to the tail of the list. The operation corrupts the list because the first pointer is not updated, eventually causing a null pointer dereference in the 'ttm_lru_bulk_move_del' function.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a denial-of-service condition by crashing the system or application.

Reproduction

To reproduce this vulnerability, initiate a bulk move operation that includes a resource. Then, add the same resource again, which will move it to the tail of the bulk move range. This action will corrupt the bulk move list by not updating the first pointer, leading to a null pointer dereference when the 'ttm_lru_bulk_move_del' function is called.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux kernel documentation.