CVE-2022-49149

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix call timer start racing with call destruction<br /> <br /> The rxrpc_call struct has a timer used to handle various timed events<br /> relating to a call. This timer can get started from the packet input<br /> routines that are run in softirq mode with just the RCU read lock held.<br /> Unfortunately, because only the RCU read lock is held - and neither ref or<br /> other lock is taken - the call can start getting destroyed at the same time<br /> a packet comes in addressed to that call. This causes the timer - which<br /> was already stopped - to get restarted. Later, the timer dispatch code may<br /> then oops if the timer got deallocated first.<br /> <br /> Fix this by trying to take a ref on the rxrpc_call struct and, if<br /> successful, passing that ref along to the timer. If the timer was already<br /> running, the ref is discarded.<br /> <br /> The timer completion routine can then pass the ref along to the call&amp;#39;s work<br /> item when it queues it. If the timer or work item where already<br /> queued/running, the extra ref is discarded.