firmware: ti_sci: resource leak and use after free
Uwe Kleine-König
u.kleine-koenig at pengutronix.de
Thu Feb 16 00:39:08 PST 2023
Hello,
The ti_sci firmware driver (drivers/firmware/ti_sci.c) has a problem in
its remove callback. I didn't check it to an end and I also don't have
the needed hardware available to test, so take my diagnosis with a grain
of salt.
The problem is that if ti_sci_remove() is called while info->users is
non-zero it skips ti_sci_debugfs_destroy() and mbox_free_channel(),
however the device will be unbound after ti_sci_remove() completes and
(among other stuff) *info will be freed. (See platform_remove() in
drivers/base/platform.c.) However the debugfs entries stay available and
accessing them will access *info. Also info stays linked in ti_sci_list
and might be traversed there. Maybe similar problems can happen with the
unfreed mbox channels.
Fixing that requires (at least) that info stays around until it's
completely unreferenced. I don't know enough about the firmware
framework and the involved hardware to suggest a fix though.
Best regards
Uwe
--
Pengutronix e.K. | Uwe Kleine-König |
Industrial Linux Solutions | https://www.pengutronix.de/ |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20230216/4242dc30/attachment.sig>
More information about the linux-arm-kernel
mailing list