CVE-2022-48759

In the Linux kernel, the following vulnerability has been resolved:

rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev

struct rpmsgctrldev contains a struct cdev. The current code frees the rpmsgctrldev struct in rpmsgctrldevreleasedevice(), but the cdev is a managed object, therefore its release is not predictable and the rpmsgctrldev could be freed before the cdev is entirely released, as in the backtrace below.

[ 93.625603] ODEBUG: free active (active state 0) object type: timerlist hint: delayedworktimerfn+0x0/0x7c [ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debugprintobject+0x13c/0x1b0 [ 93.644799] Modules linked in: veth xtcgroup xtMASQUERADE rfcomm algifhash algifskcipher afalg uinput ip6tablenat fuse uvcvideo videobuf2vmalloc venusenc venusdec videobuf2dmacontig hciuart btandroid btqca sndsocrt5682i2c bluetooth qcomspmitempalarm sndsocrt5682v [ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26 [ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT) [ 93.730055] Workqueue: events kobjectdelayedcleanup [ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO) [ 93.740216] pc : debugprintobject+0x13c/0x1b0 [ 93.744890] lr : debugprintobject+0x13c/0x1b0 [ 93.749555] sp : ffffffacf5bc7940 [ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000 [ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000 [ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000 [ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0 [ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0 [ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0 [ 93.785814] x17: 0000000000000000 x16: dfffffd000000000 [ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c [ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000 [ 93.802244] x11: 0000000000000001 x10: 0000000000000000 [ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900 [ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000 [ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000 [ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001 [ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061 [ 93.835104] Call trace: [ 93.837644] debugprintobject+0x13c/0x1b0 [ 93.841963] _debugchecknoobjfreed+0x25c/0x3c0 [ 93.846987] debugchecknoobjfreed+0x18/0x20 [ 93.851669] slabfreefreelisthook+0xbc/0x1e4 [ 93.856346] kfree+0xfc/0x2f4 [ 93.859416] rpmsgctrldevreleasedevice+0x78/0xb8 [ 93.864445] devicerelease+0x84/0x168 [ 93.868310] kobjectcleanup+0x12c/0x298 [ 93.872356] kobjectdelayedcleanup+0x10/0x18 [ 93.876948] processonework+0x578/0x92c [ 93.881086] workerthread+0x804/0xcf8 [ 93.884963] kthread+0x2a8/0x314 [ 93.888303] retfromfork+0x10/0x18

The cdevdeviceadd/del() API was created to address this issue (see commit '233ed09d7fda ("chardev: add helper function to register char devs with a struct device")'), use it instead of cdev add/del().