Linux Kernel Amphion Media Driver Race Condition Vulnerability Leading to Kernel Panic

A race condition vulnerability has been identified in the Linux kernel's Amphion media driver, specifically within the V4L2 memory-to-memory (m2m) framework. This vulnerability causes a kernel panic due to a use-after-free error. The issue arises when the function v4l2_m2m_ctx_release() frees the m2m context while v4l2_m2m_try_run() is preparing to execute the device_run() function using the same context. The resulting race condition leads to a crash, as the system attempts to read from a memory address that has already been freed, causing an invalid memory access error.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a system crash. The crash occurs due to a use-after-free error, where the kernel tries to access memory that has already been freed, causing an invalid memory access error.

Reproduction

The vulnerability can be reproduced by initiating a process that uses the V4L2 m2m framework with the Amphion media driver. During this process, the v4l2_m2m_ctx_release() function is called to release the m2m context. However, if the v4l2_m2m_try_run() function is simultaneously attempting to execute the device_run() function with the same context, a race condition occurs. This sequence of events can be triggered by scheduling a job that requires the m2m context, and then abruptly canceling that job, which releases the context before it can be used, leading to the kernel panic.

Remediation

The vulnerability has been addressed by modifying the Amphion VPU driver's integration with the V4L2 m2m framework. The driver now includes a job_ready callback that indicates no jobs are ready for the m2m framework, effectively preventing the scheduling of jobs that could trigger the race condition. This update is available in the Linux kernel stable tree.