Linux Kernel Race Condition Vulnerability in Timer Management Functions

A race condition vulnerability has been identified in the Linux kernel's timer management functions, specifically within the timer_shutdown_sync() function. This vulnerability can lead to a NULL function pointer being accessed, causing a warning in the expire_timers() function. The issue arises when timer_shutdown_sync() clears the timer function while the timer is still active on another CPU, creating a scenario where a pending timer is left with a NULL function pointer. This vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can cause a race condition that leads to a NULL pointer dereference, triggering a warning in the expire_timers() function. Such a condition can disrupt normal timer operations and potentially lead to undefined behavior in the system.

Reproduction

The vulnerability can be reproduced by creating a timer that is set to expire while the timer_shutdown_sync() function is called on another CPU. This can be done by modifying a timer's function pointer to NULL while it is still running, causing the next expiration to hit a warning due to the NULL reference.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the Linux kernel official website.