Patch "rpmsg: glink: Fix use after free in open_ack TIMEOUT case" has been added to the 4.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Thu, 19 Dec 2019 12:36:51 +0100

This is a note to let you know that I've just added the patch titled

    rpmsg: glink: Fix use after free in open_ack TIMEOUT case

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rpmsg-glink-fix-use-after-free-in-open_ack-timeout-case.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From ac74ea01860170699fb3b6ea80c0476774c8e94f Mon Sep 17 00:00:00 2001
From: Arun Kumar Neelakantam <aneela@xxxxxxxxxxxxxx>
Date: Fri, 4 Oct 2019 15:26:58 -0700
Subject: rpmsg: glink: Fix use after free in open_ack TIMEOUT case

From: Arun Kumar Neelakantam <aneela@xxxxxxxxxxxxxx>

commit ac74ea01860170699fb3b6ea80c0476774c8e94f upstream.

Extra channel reference put when remote sending OPEN_ACK after timeout
causes use-after-free while handling next remote CLOSE command.

Remove extra reference put in timeout case to avoid use-after-free.

Fixes: b4f8e52b89f6 ("rpmsg: Introduce Qualcomm RPM glink driver")
Cc: stable@xxxxxxxxxxxxxxx
Tested-by: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx>
Signed-off-by: Arun Kumar Neelakantam <aneela@xxxxxxxxxxxxxx>
Signed-off-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/rpmsg/qcom_glink_native.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1104,13 +1104,12 @@ static int qcom_glink_create_remote(stru
 close_link:
 	/*
 	 * Send a close request to "undo" our open-ack. The close-ack will
-	 * release the last reference.
+	 * release qcom_glink_send_open_req() reference and the last reference
+	 * will be relesed after receiving remote_close or transport unregister
+	 * by calling qcom_glink_native_remove().
 	 */
 	qcom_glink_send_close_req(glink, channel);
 
-	/* Release qcom_glink_send_open_req() reference */
-	kref_put(&channel->refcount, qcom_glink_channel_release);
-
 	return ret;
 }
 


Patches currently in stable-queue which might be from aneela@xxxxxxxxxxxxxx are

queue-4.14/rpmsg-glink-fix-reuse-intents-memory-leak-issue.patch
queue-4.14/rpmsg-glink-fix-use-after-free-in-open_ack-timeout-case.patch






