CVE-2023-52629

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sh: push-switch: Reorder cleanup operations to avoid use-after-free bug<br /> <br /> The original code puts flush_work() before timer_shutdown_sync()<br /> in switch_drv_remove(). Although we use flush_work() to stop<br /> the worker, it could be rescheduled in switch_timer(). As a result,<br /> a use-after-free bug can occur. The details are shown below:<br /> <br /> (cpu 0) | (cpu 1)<br /> switch_drv_remove() |<br /> flush_work() |<br /> ... | switch_timer // timer<br /> | schedule_work(&amp;psw-&gt;work)<br /> timer_shutdown_sync() |<br /> ... | switch_work_handler // worker<br /> kfree(psw) // free |<br /> | psw-&gt;state = 0 // use<br /> <br /> This patch puts timer_shutdown_sync() before flush_work() to<br /> mitigate the bugs. As a result, the worker and timer will be<br /> stopped safely before the deallocate operations.