Ville Syrjälä

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the drm/client component of the Linux kernel, where the modes[] array contains pointers to modes on the connectors' mode lists, protected by dev->mode config.mutex. However, the modes[] array itself lacks the same protection, potentially leading to elements pointing to freed or reused memory. This could allow an attacker to elevate privileges in the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises from a deadlock handling mistake in the Linux kernel, specifically in the `drm mode page flip ioctl()` function. When a deadlock occurs after the framebuffer lookup, the kernel proceeds to unref the framebuffer and then retries the process. However, it forgets to reset the framebuffer pointer back to NULL, leading to the possibility of unreferencing the same framebuffer multiple times without obtaining another reference. This can result in the framebuffer being freed while still in use. The problem is exacerbated when doing async flips on a DG2 with `CONFIG DEBUG WW MUTEX SLOWPATH=y` enabled. Symptoms include `drm closefb()` getting stuck in a busy loop while walking the framebuffer list. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability has been resolved in the Linux kernel, specifically in the drm/edid component. The function `connector bad edid()` assumed that the memory for the EDID passed to it was big enough to hold `edid[0x7e] + 1` blocks of data, ignoring the fact that it was passed `num blocks` which indicated the allocated memory for the EDID. This issue is important for handling cases where there's an error in the first block of the EDID. A bounds check has been added to fix this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.