In the Linux kernel, the following vulnerability has been resolved:
coresight: prevent deactivate active config while enabling the config
While enable active config via cscfgcsdevenableactiveconfig(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario:
CPU0 CPU1 (sysfs enable) load module cscfgloadconfigsets() activate config. // sysfs (sysactivecnt == 1) ... cscfgcsdevenableactiveconfig() lock(csdev->cscfgcsdevlock) // here load config activate by CPU1 unlock(csdev->cscfgcsdev_lock)
deactivate config // sysfs
(sys_activec_cnt == 0)
cscfg_unload_config_sets()
unload module
// access to configdesc which freed // while unloading module. cscfgcsdevenableconfig
To address this, use cscfgconfigdesc's activecnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when configactive_cnt == 0.