Linux Kernel Panthor Driver NULL Pointer Dereference Vulnerability Leading to Kernel Panic

A vulnerability in the Linux kernel's Panthor GPU driver can cause a kernel panic due to a NULL pointer dereference. This issue arises when userspace partially unmaps a GPU virtual address region, a process allowed by the VM_BIND interface. The Panthor driver, which pre-allocates memory for the mapping and unmapping operations, expects only one virtual address to be needed during an unmap. However, a partial unmap can require two addresses, leading to the NULL pointer dereference and subsequent kernel panic. The vulnerability has been addressed in a recent commit.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, use the Panthor GPU driver and initiate a partial unmap of a GPU virtual address region using the VM_BIND interface. This can be done by unmapping a buffer object that spans multiple virtual address entries, ensuring that the unmap operation requires a remap with both previous and next virtual addresses.

Remediation

The vulnerability has been fixed in the Linux kernel. Users can apply the latest patches available in the Linux stable tree to address this issue.