Linux Kernel Coresight Connection Management Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's Coresight component, specifically in how it manages device connections. Coresight devices maintain references to their connections via the fwnode. When a device is removed, the kernel attempts to drop these references. However, the process does not properly clear the fwnode connection, leading to a use-after-free condition. This issue can cause a reference count error, as the fwnode still points to the removed device, causing the kernel to attempt to drop a reference that no longer exists, which can result in memory corruption.

Impact

Exploitation of this vulnerability causes a use-after-free condition, leading to memory corruption and potential arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating two Coresight devices with a connection from the first device to the second. When the second device is removed, the first device correctly drops its reference. However, when the first device is subsequently removed, it still has a connection to the second device's fwnode, which has already been freed. This mismatch causes the reference count to become corrupted, triggering a warning about a reference count error and indicating a use-after-free condition.