Linux Kernel GICv2M IRQ Chip Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's GICv2M IRQ chip handling. When ACPI is enabled, the function gicv2m_get_fwnode() is incorrectly registered as a callback with the PCI subsystem, while being marked for initialization only. This mismanagement can lead to a kernel paging error, as the function is freed before it can be properly utilized during a PCI host bridge probe. The issue is reproducible on a Juno board with ACPI boot.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a kernel paging request error, which can disrupt normal system operations and potentially be exploited to execute arbitrary code in the kernel context.

Reproduction

To reproduce this vulnerability, boot a Juno board with ACPI enabled. During the PCI host bridge probe, the improperly registered callback gicv2m_get_fwnode() will be invoked, leading to a use-after-free condition and a kernel paging request error.