[SRU][Focal][PATCH 0/2] Fix for CVE-2020-27820

Bartlomiej Zolnierkiewicz bartlomiej.zolnierkiewicz at canonical.com
Wed Mar 23 17:23:11 UTC 2022


[Impact]
A vulnerability was found in Linux kernel, where a use-after-frees in
nouveau’s postclose() handler could happen if removing device (that is
not common to remove video card physically without power-off, but same
happens if “unbind” the driver). A privileged or physically proximate
attacker could use this to cause a denial of service (system crash).

[Fix]
f55aaf63bde0 ("drm/nouveau: clean up all clients on device removal")
abae9164a421 ("drm/nouveau: Add a dedicated mutex for the clients list")

Patch #1 required backporting due to different context in
nouveau_drm_device_fini().

Patch #2 cherry picked cleanly.

Both patches build just fine.

Please also note that Focal already has a backport of:
aff2299e0d81 ("drm/nouveau: use drm_dev_unplug() during device removal")
(commit 64c189f2be00) which is also required for fixing the CVE-2020-27820.

[Potential regression]
The changes are limited to drm nouveau driver and are already present in
Impish and Jammy kernels.


Jeremy Cline (2):
  drm/nouveau: Add a dedicated mutex for the clients list
  drm/nouveau: clean up all clients on device removal

 drivers/gpu/drm/nouveau/nouveau_drm.c | 40 ++++++++++++++++++++++++---
 drivers/gpu/drm/nouveau/nouveau_drv.h |  5 ++++
 2 files changed, 41 insertions(+), 4 deletions(-)

-- 
2.25.1




More information about the kernel-team mailing list