| Description: | In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - resolve race condition during AER recovery During the
PCI AER system's error recovery process, the kernel driver may
encounter a race condition with freeing the reset_data structure's
memory. If the device restart will take more than 10 seconds the
function scheduling that restart will exit due to a timeout, and the
reset_data structure will be freed. However, this data structure is
used for completion notification after the restart is completed, which
leads to a UAF bug. This results in a KFENCE bug notice. BUG: KFENCE:
use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]
Use-after-free read at 0x00000000bc56fddf (in kfence-#142):
adf_device_reset_worker+0x38/0xa0 [intel_qat]
process_one_work+0x173/0x340 To resolve this race condition, the
memory associated to the container of the work_struct is freed on the
worker if the timeout expired, otherwise on the function that
schedules the worker. The timeout detection can be done by checking if
the caller is still waiting for completion or not by using
completion_done() function.
|
