Linux Kernel Atmel HLCDC DRM Component Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Atmel HLCDC DRM component. This issue arises in the 'atmel_hlcdc_plane_atomic_duplicate_state()' callback, which improperly duplicates the 'drm_plane_state', leaving the 'commit' pointer linked to an outdated state. Consequently, this can cause a use-after-free error during the subsequent 'drm_atomic_commit()' call. The vulnerability manifests when the device node is closed and reopened while another DRM client, such as fbdev, is still active.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by closing and reopening the device node while another DRM client, like fbdev, is still attached. This sequence of actions triggers the use-after-free condition during the 'drm_atomic_commit()' call.

Remediation

Users can apply the available patch to address this vulnerability. The patch is included in the official Linux kernel repository.