CVE-2024-26974

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat - resolve race condition during AER recovery<br /> <br /> During the PCI AER system&amp;#39;s error recovery process, the kernel driver<br /> may encounter a race condition with freeing the reset_data structure&amp;#39;s<br /> memory. If the device restart will take more than 10 seconds the function<br /> scheduling that restart will exit due to a timeout, and the reset_data<br /> structure will be freed. However, this data structure is used for<br /> completion notification after the restart is completed, which leads<br /> to a UAF bug.<br /> <br /> This results in a KFENCE bug notice.<br /> <br /> BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]<br /> Use-after-free read at 0x00000000bc56fddf (in kfence-#142):<br /> adf_device_reset_worker+0x38/0xa0 [intel_qat]<br /> process_one_work+0x173/0x340<br /> <br /> To resolve this race condition, the memory associated to the container<br /> of the work_struct is freed on the worker if the timeout expired,<br /> otherwise on the function that schedules the worker.<br /> The timeout detection can be done by checking if the caller is<br /> still waiting for completion or not by using completion_done() function.