Description
In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | at91_adc_workq_handler at91_adc_remove | iio_device_unregister(indio_dev) | //free indio_dev a bit later | | iio_push_to_buffers(indio_dev) | //use indio_dev Fix it by ensuring that the work is canceled before proceeding with the cleanup in at91_adc_remove.
Product status
23ec2774f1cc168b1f32a2e0ed2709cb473bb94e (git) before 4c83dd62595ee7b7c9298a4d19a256b6647e7240
23ec2774f1cc168b1f32a2e0ed2709cb473bb94e (git) before fdc8c835c637a3473878d1e7438c77ab8928af63
23ec2774f1cc168b1f32a2e0ed2709cb473bb94e (git) before 919d176b05776c7ede79c36744c823a07d631617
23ec2774f1cc168b1f32a2e0ed2709cb473bb94e (git) before 9795fe80976f8c31cafda7d44edfc0f532d1f7c4
23ec2774f1cc168b1f32a2e0ed2709cb473bb94e (git) before d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe
23ec2774f1cc168b1f32a2e0ed2709cb473bb94e (git) before d890234a91570542c228a20f132ce74f9fedd904
23ec2774f1cc168b1f32a2e0ed2709cb473bb94e (git) before dbdb442218cd9d613adeab31a88ac973f22c4873
4.19
Any version before 4.19
5.10.249 (semver)
5.15.199 (semver)
6.1.162 (semver)
6.6.122 (semver)
6.12.68 (semver)
6.18.8 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/4c83dd62595ee7b7c9298a4d19a256b6647e7240
git.kernel.org/...c/fdc8c835c637a3473878d1e7438c77ab8928af63
git.kernel.org/...c/919d176b05776c7ede79c36744c823a07d631617
git.kernel.org/...c/9795fe80976f8c31cafda7d44edfc0f532d1f7c4
git.kernel.org/...c/d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe
git.kernel.org/...c/d890234a91570542c228a20f132ce74f9fedd904
git.kernel.org/...c/dbdb442218cd9d613adeab31a88ac973f22c4873