Linux Kernel Iris Media Subsystem Stop Streaming Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's media subsystem, specifically within the Iris driver. This issue arises in versions prior to the latest patch, where the 'stop_streaming' function does not properly check the state of the streaming instance. If the state is already set to 'IRIS_INST_ERROR', the function should skip the 'stream_off' operation to prevent sending packets to the firmware. However, after the 'iris_kill_session' function sets the state to 'IRIS_INST_ERROR' and closes the session, the 'stop_streaming' function can be called, leading to a crash by attempting to free a packet that has already been processed.

Impact

Exploitation of this vulnerability causes a crash due to a use-after-free condition, where the driver attempts to access memory that has already been freed, potentially leading to undefined behavior or memory corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is 'ad699fa78b59241c9d71a8cafb51525f3dab04d4', which is included in the official Linux kernel Git repository.