Re: [PATCH] interconnect: Fix use after free in icc_get() and of_icc_get_by_index()

[Kuan-Wei Chiu <visitorckw@gmail.com>]

Hi Georgi,

On Thu, Apr 16, 2026 at 07:08:40PM +0000, Kuan-Wei Chiu wrote:
> In of_icc_get_by_index() and icc_get(), if the dynamic allocation for
> path->name fails via kasprintf(), the error handling path directly
> calls kfree(path) to free the path object and returns an error.
> 
> However, prior to this point, path_find() calls path_init(), which
> already links the path's requests into the req_list of the respective
> interconnect nodes via hlist_add_head(). Directly invoking kfree(path)
> leaves dangling pointers in the hlist. A subsequent call to icc_get()
> or icc_set_bw() will traverse or modify these corrupted lists, triggering
> a slab use afterfree.
> 
> KASAN report showing the vulnerability when reproducing via debugfs:
> 
>   BUG: KASAN: slab-use-after-free in path_find+0x6f8/0xcfc
>   Write of size 8 at addr fff000000d43f748 by task sh/1
>   ...
>   Call trace:
>    kasan_report+0xac/0xfc
>    path_find+0x6f8/0xcfc
>    icc_get+0x148/0x380
>    icc_get_set+0xf8/0x2d0
>   ...
>   Freed by task 1:
>    kfree+0x1a0/0x4a4
>    icc_get+0x2cc/0x380
>    icc_get_set+0xf8/0x2d0
> 
> Fix this by replacing kfree(path) with the proper teardown function,
> icc_put(path), which safely removes the requests from the req_list using
> hlist_del() and drops the provider usage references before freeing the
> memory.
> 
> Additionally, in icc_get(), ensure that the icc_lock mutex is released
> prior to calling icc_put(path) to avoid a deadlock, as icc_put()
> internally acquires the same lock.
> 
> Fixes: 3791163602f7 ("interconnect: Handle memory allocation errors")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>

I haven't seen this patch show up in linux-next yet.
Since the merge window is approaching, I was wondering if you had any
comments on this?

Regards,
Kuan-Wei

> ---
> I discovered this bug while reviewing Krzysztof's patch [1]. 
> To verify my hypothesis, I injected an artificial kasprintf() failure
> into  the source code and wrote a minimal dummy icc provider module.
> This allowed  me to successfully trigger the use after free via the
> debugfs client and catch it with KASAN, confirming the issue.
> 
> [1]: https://lore.kernel.org/lkml/20260416130912.375013-2-krzysztof.kozlowski@oss.qualcomm.com/
> 
>  drivers/interconnect/core.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/interconnect/core.c b/drivers/interconnect/core.c
> index 8569b78a1851..e14280ced381 100644
> --- a/drivers/interconnect/core.c
> +++ b/drivers/interconnect/core.c
> @@ -528,7 +528,7 @@ struct icc_path *of_icc_get_by_index(struct device *dev, int idx)
>  	path->name = kasprintf(GFP_KERNEL, "%s-%s",
>  			       src_data->node->name, dst_data->node->name);
>  	if (!path->name) {
> -		kfree(path);
> +		icc_put(path);
>  		path = ERR_PTR(-ENOMEM);
>  	}
>  
> @@ -626,8 +626,9 @@ struct icc_path *icc_get(struct device *dev, const char *src, const char *dst)
>  
>  	path->name = kasprintf(GFP_KERNEL, "%s-%s", src_node->name, dst_node->name);
>  	if (!path->name) {
> -		kfree(path);
> -		path = ERR_PTR(-ENOMEM);
> +		mutex_unlock(&icc_lock);
> +		icc_put(path);
> +		return ERR_PTR(-ENOMEM);
>  	}
>  out:
>  	mutex_unlock(&icc_lock);
> -- 
> 2.54.0.rc1.555.g9c883467ad-goog
>