FROMLIST: misc: fastrpc: fix UAF and kernel panic during cleanup on process abort#1032
Open
Jianping-Li wants to merge 1 commit intoqualcomm-linux:tech/mm/fastrpcfrom
Open
FROMLIST: misc: fastrpc: fix UAF and kernel panic during cleanup on process abort#1032Jianping-Li wants to merge 1 commit intoqualcomm-linux:tech/mm/fastrpcfrom
Jianping-Li wants to merge 1 commit intoqualcomm-linux:tech/mm/fastrpcfrom
Conversation
…rocess abort When a userspace FastRPC client is abruptly terminated, FastRPC cleanup paths can race with device and session teardown. This results in kernel panics in different release paths: - fastrpc_release() when using remote heap, originating from fastrpc_buf_free() - fastrpc_device_release() when using system heap, originating from fastrpc_free_map() In addition, fastrpc_map_put() may trigger refcount use-after-free due to concurrent cleanup without proper synchronization. The root cause is that buffer and map cleanup paths may access map and buf resources after the associated device or session has already been released. Fix this by: - Introducing mutex protection for map and buf lifetime - Serializing buffer and map cleanup against device teardown - Skipping buffer and map operations when the device is already gone These changes ensure cleanup paths are safe against unexpected process aborts and prevent use-after-free and kernel panic scenarios. Link: https://lore.kernel.org/all/20260427105310.4056-1-jianping.li@oss.qualcomm.com/ Fixes: c68cfb7 ("misc: fastrpc: Add support for context Invoke method") Cc: stable@kernel.org Signed-off-by: Jianping Li <jianping.li@oss.qualcomm.com>
qcomlnxci
requested review from
a team,
Chennak-quic and
ekanshibu
and removed request for
a team
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When a userspace FastRPC client is abruptly terminated, FastRPC cleanup paths can race with device and session teardown.
This results in kernel panics in different release paths:
In addition, fastrpc_map_put() may trigger refcount use-after-free due to concurrent cleanup without proper synchronization.
The root cause is that buffer and map cleanup paths may access map and buf resources after the associated device or session has already been released.
Fix this by:
These changes ensure cleanup paths are safe against unexpected process aborts and prevent use-after-free and kernel panic scenarios.
Link: https://lore.kernel.org/all/20260427105310.4056-1-jianping.li@oss.qualcomm.com/
Fixes: c68cfb7 ("misc: fastrpc: Add support for context Invoke method")
Cc: stable@kernel.org
CRs-Fixed: 4456370