CVE-2024-36899

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpiolib: cdev: Fix use after free in lineinfo_changed_notify<br /> <br /> The use-after-free issue occurs as follows: when the GPIO chip device file<br /> is being closed by invoking gpio_chrdev_release(), watched_lines is freed<br /> by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier<br /> chain failed due to waiting write rwsem. Additionally, one of the GPIO<br /> chip&amp;#39;s lines is also in the release process and holds the notifier chain&amp;#39;s<br /> read rwsem. Consequently, a race condition leads to the use-after-free of<br /> watched_lines.<br /> <br /> Here is the typical stack when issue happened:<br /> <br /> [free]<br /> gpio_chrdev_release()<br /> --&gt; bitmap_free(cdev-&gt;watched_lines) blocking_notifier_chain_unregister()<br /> --&gt; down_write(&amp;nh-&gt;rwsem) __down_write_common()<br /> --&gt; rwsem_down_write_slowpath()<br /> --&gt; schedule_preempt_disabled()<br /> --&gt; schedule()<br /> <br /> [use]<br /> st54spi_gpio_dev_release()<br /> --&gt; gpio_free()<br /> --&gt; gpiod_free()<br /> --&gt; gpiod_free_commit()<br /> --&gt; gpiod_line_state_notify()<br /> --&gt; blocking_notifier_call_chain()<br /> --&gt; down_read(&amp;nh-&gt;rwsem); notifier_call_chain()<br /> --&gt; lineinfo_changed_notify()<br /> --&gt; test_bit(xxxx, cdev-&gt;watched_lines)