Commit f5f3138
FROMLIST: misc: fastrpc: fix UAF and kernel panic during cleanup on process abort
When a userspace FastRPC client is abruptly terminated, FastRPC
cleanup paths can race with device and session teardown.
This results in kernel panics in different release paths:
- fastrpc_release() when using remote heap, originating from
fastrpc_buf_free()
- fastrpc_device_release() when using system heap, originating from
fastrpc_free_map()
In addition, fastrpc_map_put() may trigger refcount use-after-free
due to concurrent cleanup without proper synchronization.
The root cause is that buffer and map cleanup paths may access map
and buf resources after the associated device or session has
already been released.
Fix this by:
- Introducing mutex protection for map and buf lifetime
- Serializing buffer and map cleanup against device teardown
- Skipping buffer and map operations when the device is already gone
These changes ensure cleanup paths are safe against unexpected
process aborts and prevent use-after-free and kernel panic scenarios.
Link: https://lore.kernel.org/all/20260427105310.4056-1-jianping.li@oss.qualcomm.com/
Fixes: c68cfb7 ("misc: fastrpc: Add support for context Invoke method")
Cc: stable@kernel.org
Signed-off-by: Jianping Li <jianping.li@oss.qualcomm.com>1 parent e0ba718 commit f5f3138
1 file changed
Lines changed: 53 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
271 | 271 | | |
272 | 272 | | |
273 | 273 | | |
| 274 | + | |
| 275 | + | |
274 | 276 | | |
275 | 277 | | |
276 | 278 | | |
| |||
355 | 357 | | |
356 | 358 | | |
357 | 359 | | |
| 360 | + | |
358 | 361 | | |
359 | 362 | | |
360 | 363 | | |
| 364 | + | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
361 | 368 | | |
362 | 369 | | |
363 | 370 | | |
| |||
376 | 383 | | |
377 | 384 | | |
378 | 385 | | |
| 386 | + | |
| 387 | + | |
| 388 | + | |
| 389 | + | |
| 390 | + | |
379 | 391 | | |
380 | 392 | | |
381 | 393 | | |
382 | 394 | | |
| 395 | + | |
383 | 396 | | |
384 | 397 | | |
385 | 398 | | |
| |||
439 | 452 | | |
440 | 453 | | |
441 | 454 | | |
442 | | - | |
443 | | - | |
444 | | - | |
| 455 | + | |
| 456 | + | |
| 457 | + | |
| 458 | + | |
| 459 | + | |
| 460 | + | |
| 461 | + | |
| 462 | + | |
| 463 | + | |
| 464 | + | |
| 465 | + | |
| 466 | + | |
445 | 467 | | |
446 | 468 | | |
447 | 469 | | |
| |||
464 | 486 | | |
465 | 487 | | |
466 | 488 | | |
467 | | - | |
468 | | - | |
| 489 | + | |
| 490 | + | |
| 491 | + | |
| 492 | + | |
| 493 | + | |
469 | 494 | | |
470 | 495 | | |
471 | 496 | | |
| |||
508 | 533 | | |
509 | 534 | | |
510 | 535 | | |
| 536 | + | |
| 537 | + | |
| 538 | + | |
| 539 | + | |
511 | 540 | | |
512 | 541 | | |
513 | 542 | | |
| |||
850 | 879 | | |
851 | 880 | | |
852 | 881 | | |
| 882 | + | |
| 883 | + | |
| 884 | + | |
| 885 | + | |
| 886 | + | |
| 887 | + | |
| 888 | + | |
853 | 889 | | |
854 | 890 | | |
855 | 891 | | |
856 | 892 | | |
| 893 | + | |
857 | 894 | | |
858 | 895 | | |
859 | 896 | | |
860 | 897 | | |
861 | 898 | | |
862 | 899 | | |
| 900 | + | |
863 | 901 | | |
864 | 902 | | |
865 | 903 | | |
| 904 | + | |
866 | 905 | | |
867 | 906 | | |
868 | 907 | | |
| |||
2350 | 2389 | | |
2351 | 2390 | | |
2352 | 2391 | | |
| 2392 | + | |
| 2393 | + | |
2353 | 2394 | | |
2354 | 2395 | | |
2355 | 2396 | | |
| |||
2366 | 2407 | | |
2367 | 2408 | | |
2368 | 2409 | | |
| 2410 | + | |
| 2411 | + | |
2369 | 2412 | | |
2370 | 2413 | | |
2371 | 2414 | | |
| |||
2388 | 2431 | | |
2389 | 2432 | | |
2390 | 2433 | | |
| 2434 | + | |
| 2435 | + | |
| 2436 | + | |
| 2437 | + | |
| 2438 | + | |
2391 | 2439 | | |
2392 | 2440 | | |
2393 | 2441 | | |
| |||
0 commit comments