Re: [PATCH v3 1/2] rpmsg: glink: Fix use-after-free in qcom_glink_rpdev_release()

[Matthias Kaehlcke <mka@chromium.org>]

Hi Sujit,

On Tue, Nov 02, 2021 at 04:51:49PM -0700, Sujit Kautkar wrote:
> qcom_glink_rpdev_release() sets channel->rpdev to NULL. However, with
> debug enabled kernel, qcom_glink_rpdev_release() gets delayed due to
> delayed kobject release and channel gets released by that time and
> triggers below kernel warning. To avoid this use-after-free, clear ept
> pointers during ept destroy and channel release and add a new condition
> in qcom_glink_rpdev_release() to access channel
> 
> | BUG: KASAN: use-after-free in qcom_glink_rpdev_release+0x54/0x70
> | Write of size 8 at addr ffffffaba438e8d0 by task kworker/6:1/54
> |
> | CPU: 6 PID: 54 Comm: kworker/6:1 Not tainted 5.4.109-lockdep #16
> | Hardware name: Google Lazor (rev3+) with KB Backlight (DT)
> | Workqueue: events kobject_delayed_cleanup
> | Call trace:
> |  dump_backtrace+0x0/0x284
> |  show_stack+0x20/0x2c
> |  dump_stack+0xd4/0x170
> |  print_address_description+0x3c/0x4a8
> |  __kasan_report+0x144/0x168
> |  kasan_report+0x10/0x18
> |  __asan_report_store8_noabort+0x1c/0x24
> |  qcom_glink_rpdev_release+0x54/0x70
> |  device_release+0x68/0x14c
> |  kobject_delayed_cleanup+0x158/0x2cc
> |  process_one_work+0x7cc/0x10a4
> |  worker_thread+0x80c/0xcec
> |  kthread+0x2a8/0x314
> |  ret_from_fork+0x10/0x18
> 
> Signed-off-by: Sujit Kautkar <sujitka@chromium.org>
> ---
> Changes in v3:
> - Clear ept pointers and add extra conditions
> 
> Changes in v2:
> - Fix typo in commit message
> 
>  drivers/rpmsg/qcom_glink_native.c | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
> index e1444fefdd1c0..0c64a6f7a4f09 100644
> --- a/drivers/rpmsg/qcom_glink_native.c
> +++ b/drivers/rpmsg/qcom_glink_native.c
> @@ -269,6 +269,9 @@ static void qcom_glink_channel_release(struct kref *ref)
>  	idr_destroy(&channel->riids);
>  	spin_unlock_irqrestore(&channel->intent_lock, flags);
>  
> +	if (channel->rpdev)
> +		channel->rpdev->ept = NULL;
> +
>  	kfree(channel->name);
>  	kfree(channel);
>  }
> @@ -1214,6 +1217,8 @@ static void qcom_glink_destroy_ept(struct rpmsg_endpoint *ept)
>  	channel->ept.cb = NULL;
>  	spin_unlock_irqrestore(&channel->recv_lock, flags);
>  
> +	channel->rpdev->ept = NULL;
> +
>  	/* Decouple the potential rpdev from the channel */
>  	channel->rpdev = NULL;
>  
> @@ -1371,9 +1376,12 @@ static const struct rpmsg_endpoint_ops glink_endpoint_ops = {
>  static void qcom_glink_rpdev_release(struct device *dev)
>  {
>  	struct rpmsg_device *rpdev = to_rpmsg_device(dev);
> -	struct glink_channel *channel = to_glink_channel(rpdev->ept);
> +	struct glink_channel *channel = NULL;

no need to initialize the pointer, it is assigned in the path that uses it.

>  
> -	channel->rpdev = NULL;
> +	if (rpdev->ept) {
> +		channel = to_glink_channel(rpdev->ept);
> +		channel->rpdev = NULL;
> +	}
>  	kfree(rpdev);
>  }

Looks like this is already fixed in -next by:

commit 343ba27b6f9d473ec3e602cc648300eb03a7fa05
Author: Chris Lew <clew@codeaurora.org>
Date:   Thu Jul 30 10:48:15 2020 +0530

    rpmsg: glink: Remove channel decouple from rpdev release

    If a channel is being rapidly restarting and the kobj release worker is
    busy, there is a chance the rpdev_release function will run after the
    channel struct itself has been released.

    There should not be a need to decouple the channel from rpdev in the
    rpdev release since that should only happen from the close commands.

    Signed-off-by: Chris Lew <clew@codeaurora.org>
    Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/1596086296-28529-6-git-send-email-deesin@codeaurora.org