CVE-2023-52439

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> uio: Fix use-after-free in uio_open<br /> <br /> core-1 core-2<br /> -------------------------------------------------------<br /> uio_unregister_device uio_open<br /> idev = idr_find()<br /> device_unregister(&amp;idev-&gt;dev)<br /> put_device(&amp;idev-&gt;dev)<br /> uio_device_release<br /> get_device(&amp;idev-&gt;dev)<br /> kfree(idev)<br /> uio_free_minor(minor)<br /> uio_release<br /> put_device(&amp;idev-&gt;dev)<br /> kfree(idev)<br /> -------------------------------------------------------<br /> <br /> In the core-1 uio_unregister_device(), the device_unregister will kfree<br /> idev when the idev-&gt;dev kobject ref is 1. But after core-1<br /> device_unregister, put_device and before doing kfree, the core-2 may<br /> get_device. Then:<br /> 1. After core-1 kfree idev, the core-2 will do use-after-free for idev.<br /> 2. When core-2 do uio_release and put_device, the idev will be double<br /> freed.<br /> <br /> To address this issue, we can get idev atomic &amp; inc idev reference with<br /> minor_lock.