Linux Kernel Tegra ADMA Driver Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Tegra ADMA driver of the Linux kernel. This issue arises when audio streams are terminated, especially during XRUN conditions. The vulnerability occurs because the DMA buffer is deallocated by the function 'tegra_adma_terminate_all()' before the virtual channel completion tasklet has finished using it. This creates a race condition where the tasklet attempts to access memory that has already been freed, leading to potential memory corruption or crashes.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a tasklet accesses memory that has been freed, potentially leading to memory corruption or a crash.

Reproduction

To reproduce this vulnerability, initiate a DMA transfer using the Tegra ADMA driver. Once the transfer is complete, an interrupt will trigger the scheduling of a completion tasklet. Before this tasklet has a chance to execute, stop the audio playback, which will call 'tegra_adma_terminate_all()' to free the DMA buffer. When the tasklet finally runs, it will attempt to access the already-freed memory, demonstrating the use-after-free vulnerability.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.