Linux Kernel WiFi RSI Driver Kthread Lifetime Race Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's WiFi RSI driver, specifically in the handling of kernel threads. This issue arises from a race condition between the self-exit and external-stop processes when terminating a kernel thread. Normally, the external-stop function is called first without any problems. However, in rare cases where the self-exit function is invoked first, followed by the external-stop, the kthread object is accessed after it has already been freed, leading to a use-after-free scenario.

Impact

Exploitation of this vulnerability causes a use-after-free condition, where a freed kthread object is accessed again, potentially leading to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by calling the self-exit function 'kthread_complete_and_exit' before the external-stop function 'kthread_stop' when terminating a kernel thread. This sequence creates a race condition that the vulnerability exploits.

Remediation

The vulnerability has been addressed by modifying the RSI driver's thread termination process. The external-stop function 'kthread_stop' has been removed, and the code now waits for the self-exit operation to complete before proceeding. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this vulnerability.