CVE-2023-52635

In the Linux kernel, the following vulnerability has been resolved:

PM / devfreq: Synchronize devfreqmonitor[start/stop]

There is a chance if a frequent switch of the governor done in a loop result in timer list corruption where timer cancel being done from two place one from canceldelayedworksync() and followed by expiretimers() can be seen from the traces[1].

while true do echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor done

It looks to be issue with devfreq driver where devicemonitor[start/stop] need to synchronized so that delayed work should get corrupted while it is either being queued or running or being cancelled.

Let's use polling flag and devfreq lock to synchronize the queueing the timer instance twice and work data being corrupted.

[1] ... .. <idle>-0 [003] 9436.209662: timercancel timer=0xffffff80444f0428 <idle>-0 [003] 9436.209664: timerexpireentry timer=0xffffff80444f0428 now=0x10022da1c function=typeidZTSFvP10timerlistEglobaladdr baseclk=0x10022da1c <idle>-0 [003] 9436.209718: timerexpireexit timer=0xffffff80444f0428 kworker/u16:6-14217 [003] 9436.209863: timerstart timer=0xffffff80444f0428 function=typeidZTSFvP10timerlistEglobaladdr expires=0x10022da2b now=0x10022da1c flags=182452227 vendor.xxxyyy.ha-1593 [004] 9436.209888: timercancel timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216390: timerinit timer=0xffffff80444f0428 vendor.xxxyyy.ha-1593 [004] 9436.216392: timerstart timer=0xffffff80444f0428 function=typeidZTSFvP10timerlistEglobaladdr expires=0x10022da2c now=0x10022da1d flags=186646532 vendor.xxxyyy.ha-1593 [005] 9436.220992: timercancel timer=0xffffff80444f0428 xxxyyyTraceManag-7795 [004] 9436.261641: timercancel timer=0xffffff80444f0428

[2]

9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a [ 9436.261664][ C4] Mem abort info: [ 9436.261666][ C4] ESR = 0x96000044 [ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits [ 9436.261671][ C4] SET = 0, FnV = 0 [ 9436.261673][ C4] EA = 0, S1PTW = 0 [ 9436.261675][ C4] Data abort info: [ 9436.261677][ C4] ISV = 0, ISS = 0x00000044 [ 9436.261680][ C4] CM = 0, WnR = 1 [ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges [ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0 ...

[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1 [ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT) [ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--) [ 9436.262161][ C4] pc : expiretimers+0x9c/0x438 [ 9436.262164][ C4] lr : expiretimers+0x2a4/0x438 [ 9436.262168][ C4] sp : ffffffc010023dd0 [ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18 [ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008 [ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280 [ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122 [ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80 [ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038 [ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201 [ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100 [ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8 [ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff [ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122 [ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8 [ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101 [ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8 ---truncated---