Free after use in fw_pm_notify()->kill_requests_without_uevent() due pending_fw_head

[Sodagudi Prasad <psodagud@codeaurora.org>]

Hi All,

Device has crashed due to memory access after free while pending_fw_head 
list accessed. Kernel 4.4 stable version is used to reproduce this use 
after free.
------------------------------------------------------------------------------------------
[ 9031.178428] Unable to handle kernel paging request at virtual address 
6b6b6b6b6b6b6b6b
[ 9031.178508] pgd = ffffffc0de9d2000
[ 9031.185888] [6b6b6b6b6b6b6b6b] *pgd=0000000000000000, 
*pud=0000000000000000
[ 9031.253045] ------------[ cut here ]------------
[ 9031.253100] Kernel BUG at ffffff800864c0a0 [verbose debug info 
unavailable]
[ 9031.256860] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
[ 9031.263539] Modules linked in:
[ 9031.272708] CPU: 6 PID: 1373 Comm: system_server Tainted: G        W  
   L  4.4.16+ #1
[ 9031.280648] task: ffffffc0d1a1d700 ti: ffffffc0d1a2c000 task.ti: 
ffffffc0d1a2c000
[ 9031.287776] PC is at fw_pm_notify+0x84/0x19c
[ 9031.295215] LR is at fw_pm_notify+0x60/0x19c
[ 9031.511559] [] fw_pm_notify+0x84/0x19c
[ 9031.519355] [] notifier_call_chain+0x58/0x8c
[ 9031.524739] [] __blocking_notifier_call_chain+0x54/0x70
[ 9031.530387] [] blocking_notifier_call_chain+0x38/0x44
[ 9031.537243] [] pm_notifier_call_chain+0x28/0x48
[ 9031.543662] [] pm_suspend+0x278/0x674
[ 9031.549906] [] state_store+0x58/0x90
[ 9031.554942] [] kobj_attr_store+0x18/0x28
[ 9031.560154] [] sysfs_kf_write+0x5c/0x68
[ 9031.565620] [] kernfs_fop_write+0x114/0x16c
[ 9031.571092] [] __vfs_write+0x48/0xf0
[ 9031.576816] [] vfs_write+0xb8/0x150
[ 9031.581848] [] SyS_write+0x58/0x94
[ 9031.586973] [] el0_svc_naked+0x24/0x28
-----------------------------------------------------------------------------------------------

Kernel panic is observed during device suspend/resume path in the 
kill_requests_without_uevent() called from fw_pm_notify().
when pending_list of a firmware_buf is accessed 0x6b(free pattern) 
pattern observed. Based on this firmware_buf is freed even if 
firmware_buf is part of
pending_fw_head list.

{code snippet}
1147 static void kill_requests_without_uevent(void)
1148{
1149	struct firmware_buf *buf;
1150	struct firmware_buf *next;
1151
1152	mutex_lock(&fw_lock);
1153	list_for_each_entry_safe(buf, next, &pending_fw_head, pending_list) 
{
1154	if (!buf->need_uevent)
1155	__fw_load_abort(buf);
1156	}
1157	mutex_unlock(&fw_lock);
1158}
1159#endif
{code}

-Thanks, Prasad

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora 
Forum,
Linux Foundation Collaborative Project