Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:  net: qrtr: Fix a refcount bug in qrtr_recvmsg()  Syzbot reported a bug as following:  refcount_t: addition on 0; use-after-free. ... RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 ... Call Trace:  <TASK>  __refcount_add include/linux/refcount.h:199 [inline]  __refcount_inc include/linux/refcount.h:250 [inline]  refcount_inc include/linux/refcount.h:267 [inline]  kref_get include/linux/kref.h:45 [inline]  qrtr_node_acquire net/qrtr/af_qrtr.c:202 [inline]  qrtr_node_lookup net/qrtr/af_qrtr.c:398 [inline]  qrtr_send_resume_tx net/qrtr/af_qrtr.c:1003 [inline]  qrtr_recvmsg+0x85f/0x990 net/qrtr/af_qrtr.c:1070  sock_recvmsg_nosec net/socket.c:1017 [inline]  sock_recvmsg+0xe2/0x160 net/socket.c:1038  qrtr_ns_worker+0x170/0x1700 net/qrtr/ns.c:688  process_one_work+0x991/0x15c0 kernel/workqueue.c:2390  worker_thread+0x669/0x1090 kernel/workqueue.c:2537  It occurs in the concurrent scenario of qrtr_recvmsg() and qrtr_endpoint_unregister() as following:  \tcpu0\t\t\t\t\tcpu1 qrtr_recvmsg\t\t\t\tqrtr_endpoint_unregister qrtr_send_resume_tx\t\t\tqrtr_node_release qrtr_node_lookup\t\t\tmutex_lock(&qrtr_node_lock) spin_lock_irqsave(&qrtr_nodes_lock, )\trefcount_dec_and_test(&node->ref) [node->ref == 0] radix_tree_lookup [node != NULL]\t__qrtr_node_release qrtr_node_acquire\t\t\tspin_lock_irqsave(&qrtr_nodes_lock, ) kref_get(&node->ref) [WARNING]\t\t... \t\t\t\t\tmutex_unlock(&qrtr_node_lock)  Use qrtr_node_lock to protect qrtr_node_lookup() implementation, this is actually improving the protection of node reference.