Linux Kernel PCI/DOE Race Condition Vulnerability in Work Management

A race condition vulnerability has been identified in the Linux kernel's PCI Data Object Exchange (DOE) implementation. This issue arises in versions prior to the latest patch, where the function 'destroy_work_on_stack()' is called after signaling the completion of a work item. This sequence creates a race condition, as the work structure can go out of scope before it is properly processed, leading to potential memory management issues. The vulnerability was revealed through debugging objects that indicated an active work structure was freed while still in use, causing a warning about the improper handling of the work item.

Impact

Exploitation of this vulnerability can lead to a race condition in work item management, potentially causing memory corruption or improper synchronization in the PCI DOE state machine.

Reproduction

The vulnerability can be reproduced by enabling the CONFIG_DEBUG_OBJECTS option in the Linux kernel, which adds additional checks for object management. When this option is active, the race condition can be observed as a debug warning indicating that a work structure was freed while still active, creating a conflict between the work item's processing and its destruction.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. Instructions for downloading the patched version can be found in the Linux kernel repository.