Linux Kernel DMA-Fence Use-After-Free Vulnerability in DRM/xe

A use-after-free vulnerability has been identified in the Linux kernel's DRM/xe component, specifically related to DMA-fences. When userspace closes a submit queue, the associated timeline name can be freed. If the fence was previously exported to a third party, such as through a sync_fence file descriptor, this can lead to a use-after-free condition when the fence is accessed again. The vulnerability arises because the driver did not comply with the newly established DMA-fence safe access rules, which require a Read-Copy-Update (RCU) grace period between signaling a fence and freeing any data it points to.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by exporting a DMA-fence to a third party while the associated submit queue is still open. Once the fence is accessed again after the submit queue has been closed, a use-after-free condition will occur.

Remediation

The vulnerability has been addressed by making the DRM/xe driver compliant with the DMA-fence safe access rules. Users should update to the latest version of the Linux kernel where this vulnerability has been fixed.