In the Linux kernel, the following vulnerability has been resolved:
tee: amdtee: fix use-after-free vulnerability in amdteeclosesession
There is a potential race condition in amdteeclosesession that may cause use-after-free in amdteeopensession. For instance, if a session has refcount == 1, and one thread tries to free this session via:
kref_put(&sess->refcount, destroy_session);
the reference count will get decremented, and the next step would be to call destroysession(). However, if in another thread, amdteeopensession() is called before destroysession() has completed execution, allocsession() may return 'sess' that will be freed up later in destroysession() leading to use-after-free in amdteeopensession.
To fix this issue, treat decrement of sess->refcount and removal of 'sess' from session list in destroy_session() as a critical section, so that it is executed atomically.