CVE-2024-50059

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition<br /> <br /> In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev<br /> function, then &amp;sndev-&gt;check_link_status_work is bound with<br /> check_link_status_work. switchtec_ntb_link_notification may be called<br /> to start the work.<br /> <br /> If we remove the module which will call switchtec_ntb_remove to make<br /> cleanup, it will free sndev through kfree(sndev), while the work<br /> mentioned above will be used. The sequence of operations that may lead<br /> to a UAF bug is as follows:<br /> <br /> CPU0 CPU1<br /> <br /> | check_link_status_work<br /> switchtec_ntb_remove |<br /> kfree(sndev); |<br /> | if (sndev-&gt;link_force_down)<br /> | // use sndev<br /> <br /> Fix it by ensuring that the work is canceled before proceeding with<br /> the cleanup in switchtec_ntb_remove.