Linux Kernel QRTR Refcount Bug in `qrtr_recvmsg()` Function

A use-after-free vulnerability due to a reference count error in the `qrtr_recvmsg()` function of the Linux kernel's QRTR (Qualcomm Remote Procedure Call) implementation has been fixed. This vulnerability was reported by Syzbot and arises from a concurrent scenario where `qrtr_recvmsg()` and `qrtr_endpoint_unregister()` are executed simultaneously. The issue occurs when the reference count of a node is decremented to zero, freeing it, while another part of the code attempts to access the same node, leading to a use-after-free condition.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by creating a race condition between the `qrtr_recvmsg()` and `qrtr_endpoint_unregister()` functions. This can be done by invoking `qrtr_recvmsg()` to receive a message while simultaneously unregistering an endpoint, which causes the reference count of the node to be improperly managed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.