CVE-2026-43236

In the Linux kernel, the following vulnerability has been resolved:

drm/atmel-hlcdc: fix use-after-free of drmcrtccommit after release

The atmelhlcdcplaneatomicduplicatestate() callback was copying the atmelhlcdcplane state structure without properly duplicating the drmplanestate. In particular, state->commit remained set to the old state commit, which can lead to a use-after-free in the next drmatomic_commit() call.

Fix this by calling _drmatomichelperduplicateplanestate(), which correctly clones the base drmplanestate (including the ->commit pointer).

It has been seen when closing and re-opening the device node while another DRM client (e.g. fbdev) is still attached:

=============================================================================

BUG kmalloc-64 (Not tainted): Poison overwritten

0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b Allocated in drmatomichelpersetupcommit+0x1e8/0x7bc age=178 cpu=0 pid=29 drmatomichelpersetupcommit+0x1e8/0x7bc drmatomichelpercommit+0x3c/0x15c drmatomiccommit+0xc0/0xf4 drmframebufferremove+0x4cc/0x5a8 drmmodermfbworkfn+0x6c/0x80 processonework+0x12c/0x2cc workerthread+0x2a8/0x400 kthread+0xc0/0xdc retfromfork+0x14/0x28 Freed in drmatomichelpercommithwdone+0x100/0x150 age=8 cpu=0 pid=169 drmatomichelpercommithwdone+0x100/0x150 drmatomichelpercommittail+0x64/0x8c committail+0x168/0x18c drmatomichelpercommit+0x138/0x15c drmatomiccommit+0xc0/0xf4 drmatomichelpersetconfig+0x84/0xb8 drmmodesetcrtc+0x32c/0x810 drmioctl+0x20c/0x488 sysioctl+0x14c/0xc20 retfastsyscall+0x0/0x54 Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0 flags=0x200(workingset|zone=0) Object 0xc611b340 @offset=832 fp=0xc611b7c0