Linux Kernel DRM MSM GEM Free Vulnerability in Imported DMA-Bufs

A vulnerability has been identified in the Linux kernel's DRM MSM (Direct Rendering Manager Mobile Subsystem) component, specifically related to the handling of imported DMA-buffers (Direct Memory Access buffers). The issue arises because these imported DMA-bufs can have a reservation object that does not point to the expected shared reservation, leading to potential reference count errors. This vulnerability was highlighted by a warning during IRIS video playback, indicating a problem in the gem object free routine. The vulnerability affects several versions of the Linux kernel, including 6.17.0-rc7.

Impact

The vulnerability can lead to a reference count underflow, which may cause memory management issues or allow for the use-after-free conditions, potentially leading to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by playing video with the IRIS renderer, which triggers the warning about the gem object free process. This indicates that the vulnerability related to the handling of imported DMA-bufs in the DRM MSM component has been activated.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves the issue is available in the Linux kernel stable tree.