Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:  drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release  The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying the atmel_hlcdc_plane state structure without properly duplicating the drm_plane_state. In particular, state->commit remained set to the old state commit, which can lead to a use-after-free in the next drm_atomic_commit() call.  Fix this by calling __drm_atomic_helper_duplicate_plane_state(), which correctly clones the base drm_plane_state (including the ->commit pointer).  It has been seen when closing and re-opening the device node while another DRM client (e.g. fbdev) is still attached:  ============================================================================= BUG kmalloc-64 (Not tainted): Poison overwritten -----------------------------------------------------------------------------  0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0 pid=29  drm_atomic_helper_setup_commit+0x1e8/0x7bc  drm_atomic_helper_commit+0x3c/0x15c  drm_atomic_commit+0xc0/0xf4  drm_framebuffer_remove+0x4cc/0x5a8  drm_mode_rmfb_work_fn+0x6c/0x80  process_one_work+0x12c/0x2cc  worker_thread+0x2a8/0x400  kthread+0xc0/0xdc  ret_from_fork+0x14/0x28 Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0 pid=169  drm_atomic_helper_commit_hw_done+0x100/0x150  drm_atomic_helper_commit_tail+0x64/0x8c  commit_tail+0x168/0x18c  drm_atomic_helper_commit+0x138/0x15c  drm_atomic_commit+0xc0/0xf4  drm_atomic_helper_set_config+0x84/0xb8  drm_mode_setcrtc+0x32c/0x810  drm_ioctl+0x20c/0x488  sys_ioctl+0x14c/0xc20  ret_fast_syscall+0x0/0x54 Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0 flags=0x200(workingset|zone=0) Object 0xc611b340 @offset=832 fp=0xc611b7c0

CVEs

• CVE-2026-43236