Linux Kernel V3D Driver Empty Multisync Extension Processing Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Linux kernel's V3D graphics driver. The issue arises in the handling of multisync extensions, where the driver processes a user-supplied, self-referential linked list of extensions without any limit on its length. A local user can create an extension with zero synchronization counts that bypasses existing checks, causing the driver to enter an infinite loop. This loop blocks the executing thread and fully utilizes a CPU core, effectively freezing that core until the loop is manually interrupted. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes an infinite loop in kernel mode, blocking the current thread and using one CPU core at full capacity indefinitely.

Reproduction

To reproduce this vulnerability, create a self-referential ioctl extension for the V3D driver that has both the in_sync_count and out_sync_count set to zero. This extension can be submitted through the appropriate ioctl interface, where it will bypass the driver's duplicate extension guard and cause v3d_get_multisync_post_deps() to return immediately without processing, leading to an infinite loop.

Remediation

The vulnerability has been addressed by modifying the V3D driver to reject empty multisync extensions in the v3d_get_multisync_submit_deps() function. Users should update to the latest version of the Linux kernel where this fix has been applied.