In the Linux kernel, the following vulnerability has been resolved:
fscache: delete fscachecookielru_timer when fscache exits to avoid UAF
The fscachecookielrutimer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timerreduce() is called before removing the fscache module, the fscachecookielru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows:
================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: errorcode(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:runtimerbase.part.0+0x254/0x8a0 Call Trace: <IRQ> tmigrhandleremoteup+0x627/0x810 _walkgroups.isra.0+0x47/0x140 tmigrhandleremote+0x1fa/0x2f0 handlesoftirqs+0x180/0x590 irqexitrcu+0x84/0xb0 sysvecapictimerinterrupt+0x6e/0x90 </IRQ> <TASK> asmsysvecapictimerinterrupt+0x1a/0x20 RIP: 0010:defaultidle+0xf/0x20 defaultidlecall+0x38/0x60 doidle+0x2b5/0x300 cpustartupentry+0x54/0x60 startsecondary+0x20d/0x280 commonstartup_64+0x13e/0x148 </TASK>
Therefore delete fscachecookielru_timer when removing the fscahe module.