On Tue, Apr 16, 2024 at 11:00:25AM +0800, sicong wrote:
> greybus/interface.c: use-after-free bug in gb_interface_release due to
> race condition.
>
> In gb_interface_create, &intf->mode_switch_completion is bound with
> gb_interface_mode_switch_work. Then it will be started by
> gb_interface_request_mode_switch. Here is the code.
> if (!queue_work(system_long_wq, &intf->mode_switch_work)) {
> ...
> }
>
> If we call gb_interface_release to make cleanup, there may be an
> unfinished work. This function will call kfree to free the object
> "intf". However, if gb_interface_mode_switch_work is scheduled to
> run after kfree, it may cause use-after-free error as
> gb_interface_mode_switch_work will use the object "intf".
> The possible execution flow that may lead to the issue is as follows:
>
> CPU0 CPU1
>
> | gb_interface_create
> | gb_interface_request_mode_switch
> gb_interface_release |
> kfree(intf) (free) |
> | gb_interface_mode_switch_work
> | mutex_lock(&intf->mutex) (use)
>
> This bug may be fixed by adding the following code before kfree.
> cancel_work_sync(&intf->mode_switch_work);
Wonderful, please submit a patch with this information and we will be
glad to review it.
thanks,
greg k-h
_______________________________________________
greybus-dev mailing list -- greybus-dev@xxxxxxxxxxxxxxxx
To unsubscribe send an email to greybus-dev-leave@xxxxxxxxxxxxxxxx
|