Linux Kernel Buffer Object Release Vulnerability in DRM XE GUC Component

A vulnerability exists in the Linux kernel's handling of buffer objects within the DRM XE GUC subsystem. When a buffer object is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver sends TLB invalidation requests through the CTB mechanism during the buffer's release. However, if the CTB buffer object is released too early, it can cause system crashes. This issue arises from a use-after-free scenario, where the CTB buffer object is prematurely deallocated before the necessary TLB invalidation requests are completed, leading to a system oops and potential instability.

Impact

The vulnerability can cause system crashes by creating a use-after-free condition, where a buffer object is accessed after it has been deallocated, leading to memory corruption and instability.

Reproduction

The vulnerability can be reproduced by allocating a buffer object with the XE_BO_FLAG_GGTT_INVALIDATE flag and then prematurely releasing it before the TLB invalidation requests are fully processed. This can be done by manipulating the timing of the buffer object's lifecycle in the DRM XE GUC component, particularly during the initialization and post-configuration stages.

Remediation

The vulnerability has been addressed by introducing a managed release action that ensures proper CTB deactivation before deallocating resources. Users should update to the latest version of the Linux kernel where this fix has been applied.