CVE-2021-47533 in Linux
Summary
by MITRE • 05/24/2024
In the Linux kernel, the following vulnerability has been resolved:
drm/vc4: kms: Clear the HVS FIFO commit pointer once done
Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before a commit") introduced a wait on the previous commit done on a given HVS FIFO.
However, we never cleared that pointer once done. Since drm_crtc_commit_put can free the drm_crtc_commit structure directly if we were the last user, this means that it can lead to a use-after free if we were to duplicate the state, and that stale pointer would even be copied to the new state.
Set the pointer to NULL once we're done with the wait so that we don't carry over a pointer to a free'd structure.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/19/2025
The vulnerability CVE-2021-47533 resides within the Linux kernel's graphics subsystem, specifically in the vc4 driver's display subsystem. This issue affects the High Voltage Synthesizer (HVS) FIFO commit handling mechanism that manages display output operations for certain graphics hardware. The problem manifests in the drm/vc4/kms component where the kernel fails to properly manage memory references during display commit operations, creating a potential use-after-free condition that could be exploited by malicious actors with kernel-level access.
The technical flaw stems from improper memory management in the commit pointer handling within the HVS FIFO subsystem. When a display commit operation completes, the system should clear the commit pointer to prevent dangling references to freed memory structures. The commit 9ec03d7f1ed3 introduced a wait mechanism for previous commit operations but failed to implement proper cleanup of the commit pointer once the operation completed. This oversight means that when drm_crtc_commit_put function executes and potentially frees the drm_crtc_commit structure, the stale pointer reference remains in memory, creating a scenario where subsequent operations might attempt to access already freed memory locations.
The operational impact of this vulnerability extends beyond simple memory corruption, as it represents a classic use-after-free vulnerability that could potentially lead to privilege escalation or system instability. According to CWE-416, this vulnerability maps directly to the use of freed memory condition where the system attempts to reference memory that has already been released. The issue is particularly concerning in graphics processing contexts where the kernel maintains complex state management for display operations, and the HVS FIFO mechanism handles critical timing and resource allocation for video output. Attackers with kernel-level privileges could exploit this condition to execute arbitrary code or cause system crashes.
Mitigation strategies should focus on ensuring proper memory management practices within the kernel's graphics subsystem. The fix implemented in the kernel patch explicitly sets the commit pointer to NULL after completing the wait operation, preventing the propagation of stale references to new state copies. System administrators should ensure their kernels are updated to versions containing this patch, particularly in environments where the vc4 driver is actively used for graphics processing. The vulnerability also highlights the importance of comprehensive testing for memory management operations in kernel subsystems, especially those involving complex state transitions and resource cleanup. Organizations should monitor for similar patterns in other kernel subsystems and implement robust code review processes that specifically examine commit pointer management and memory lifecycle handling, aligning with ATT&CK technique T1068 which involves privilege escalation through kernel exploits.