CVE-2023-53445

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: qrtr: Fix a refcount bug in qrtr_recvmsg()<br /> <br /> Syzbot reported a bug as following:<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> ...<br /> RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25<br /> ...<br /> Call Trace:<br /> <br /> __refcount_add include/linux/refcount.h:199 [inline]<br /> __refcount_inc include/linux/refcount.h:250 [inline]<br /> refcount_inc include/linux/refcount.h:267 [inline]<br /> kref_get include/linux/kref.h:45 [inline]<br /> qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline]<br /> qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline]<br /> qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline]<br /> qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070<br /> sock_recvmsg_nosec net/socket.c:1017 [inline]<br /> sock_recvmsg+0xe2/0x160 net/socket.c:1038<br /> qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688<br /> process_one_work+0x991/0x15c0 kernel/workqueue.c:2390<br /> worker_thread+0x669/0x1090 kernel/workqueue.c:2537<br /> <br /> It occurs in the concurrent scenario of qrtr_recvmsg() and<br /> qrtr_endpoint_unregister() as following:<br /> <br /> cpu0 cpu1<br /> qrtr_recvmsg qrtr_endpoint_unregister<br /> qrtr_send_resume_tx qrtr_node_release<br /> qrtr_node_lookup mutex_lock(&amp;qrtr_node_lock)<br /> spin_lock_irqsave(&amp;qrtr_nodes_lock, ) refcount_dec_and_test(&amp;node-&gt;ref) [node-&gt;ref == 0]<br /> radix_tree_lookup [node != NULL] __qrtr_node_release<br /> qrtr_node_acquire spin_lock_irqsave(&amp;qrtr_nodes_lock, )<br /> kref_get(&amp;node-&gt;ref) [WARNING] ...<br /> mutex_unlock(&amp;qrtr_node_lock)<br /> <br /> Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this<br /> is actually improving the protection of node reference.