misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context

There is a race between fastrpc_device_release() and the workqueue
that processes DSP responses. When the user closes the file descriptor,
fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
schedules context cleanup via schedule_work(&ctx->put_work). If the
workqueue runs fastrpc_context_free() in parallel with or after
fastrpc_device_release() has freed the user structure, it dereferences
the freed fastrpc_user. Depending on the state of the context at the
time of the race, any one of the following accesses can be hit:

1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)
to strip the SID bits from the stored IOVA before passing the
physical address to dma_free_coherent().

2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to
reconstruct the source permission bitmask needed for the
qcom_scm_assign_mem() call that returns memory from the DSP VM
back to HLOS.

3. fastrpc_free_map() acquires map->fl->lock to safely remove the
map node from the fl->maps list.

The resulting use-after-free manifests as:

pc : fastrpc_buf_free+0x38/0x80 [fastrpc]
lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_free+0xa8/0x1b0 [fastrpc]
fastrpc_context_put_wq+0x78/0xa0 [fastrpc]
process_one_work+0x180/0x450
worker_thread+0x26c/0x388

Add kref-based reference counting to fastrpc_user. Have each invoke
context take a reference on the user at allocation time and release it
when the context is freed. Release the initial reference in
fastrpc_device_release() at file close. Move the teardown of the user
structure — freeing pending contexts, maps, mmaps, and the channel
context reference — into the kref release callback fastrpc_user_free(),
so that it runs only when the last reference is dropped, regardless of
whether that happens at device close or after the final in-flight
context completes.

Basic Information

ID CVE-2026-53161

Source Linux

Published Jun 25, 2026 at 08:38

Modified Jun 28, 2026 at 06:39

Affected Product

Vendor Linux

Product Linux

Version 6cffd79504ce040f460831030d3069fa1c99bb71

Affected Versions Linux Linux 6cffd79504ce040f460831030d3069fa1c99bb71
Linux Linux 6cffd79504ce040f460831030d3069fa1c99bb71
Linux Linux 6cffd79504ce040f460831030d3069fa1c99bb71
Linux Linux 6cffd79504ce040f460831030d3069fa1c99bb71
Linux Linux 6cffd79504ce040f460831030d3069fa1c99bb71
Linux Linux 6cffd79504ce040f460831030d3069fa1c99bb71
Linux Linux 6cffd79504ce040f460831030d3069fa1c99bb71
Linux Linux 6cffd79504ce040f460831030d3069fa1c99bb71
Linux Linux 5.1

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: fix use-after-free of fastrpc_user in workqueue context\n\nThere is a race between fastrpc_device_release() and the workqueue\nthat processes DSP responses. When the user closes the file descriptor,\nfastrpc_device_release() frees the fastrpc_user structure. Concurrently,\nan in-flight DSP invocation can complete and fastrpc_rpmsg_callback()\nschedules context cleanup via schedule_work(&ctx->put_work). If the\nworkqueue runs fastrpc_context_free() in parallel with or after\nfastrpc_device_release() has freed the user structure, it dereferences\nthe freed fastrpc_user. Depending on the state of the context at the\ntime of the race, any one of the following accesses can be hit:\n\n 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...)\n    to strip the SID bits from the stored IOVA before passing the\n    physical address to dma_free_coherent().\n\n 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to\n    reconstruct the source permission bitmask needed for the\n    qcom_scm_assign_mem() call that returns memory from the DSP VM\n    back to HLOS.\n\n 3. fastrpc_free_map() acquires map->fl->lock to safely remove the\n    map node from the fl->maps list.\n\nThe resulting use-after-free manifests as:\n\n  pc : fastrpc_buf_free+0x38/0x80 [fastrpc]\n  lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc]\n  fastrpc_context_free+0xa8/0x1b0 [fastrpc]\n  fastrpc_context_put_wq+0x78/0xa0 [fastrpc]\n  process_one_work+0x180/0x450\n  worker_thread+0x26c/0x388\n\nAdd kref-based reference counting to fastrpc_user. Have each invoke\ncontext take a reference on the user at allocation time and release it\nwhen the context is freed. Release the initial reference in\nfastrpc_device_release() at file close. Move the teardown of the user\nstructure \u2014 freeing pending contexts, maps, mmaps, and the channel\ncontext reference \u2014 into the kref release callback fastrpc_user_free(),\nso that it runs only when the last reference is dropped, regardless of\nwhether that happens at device close or after the final in-flight\ncontext completes.",
    "published": "2026-06-25T08:38:42.789Z",
    "modified": "2026-06-28T06:39:37.235Z",
    "type": "cve",
    "title": "misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/c6e5c2be09f814377d7f1ce97370a5b7b3e02814\nhttps://git.kernel.org/stable/c/e1e3a05efe5954d5bad01157d79429d39a67a7ae\nhttps://git.kernel.org/stable/c/d42679eef34dd590b694ce3b666c5e2ba10cd4bf\nhttps://git.kernel.org/stable/c/df08fadcf0e5f3708365ec3b6d30b5aafd98bea1\nhttps://git.kernel.org/stable/c/ecea4967c2bff92c2fafbc59893f711b39f7b152\nhttps://git.kernel.org/stable/c/5278ccd357e0d7aeeb1e76c0f3e0e02894a9897c\nhttps://git.kernel.org/stable/c/fbe0947420eec18a84638d29468c2d563ce4e6a3\nhttps://git.kernel.org/stable/c/e85eb5feca8e254905ffa6c57a3c99c89a674a0f",
    "id": "CVE-2026-53161",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 6cffd79504ce040f460831030d3069fa1c99bb71\nLinux Linux 6cffd79504ce040f460831030d3069fa1c99bb71\nLinux Linux 6cffd79504ce040f460831030d3069fa1c99bb71\nLinux Linux 6cffd79504ce040f460831030d3069fa1c99bb71\nLinux Linux 6cffd79504ce040f460831030d3069fa1c99bb71\nLinux Linux 6cffd79504ce040f460831030d3069fa1c99bb71\nLinux Linux 6cffd79504ce040f460831030d3069fa1c99bb71\nLinux Linux 6cffd79504ce040f460831030d3069fa1c99bb71\nLinux Linux 5.1",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "6cffd79504ce040f460831030d3069fa1c99bb71",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context_CVE-2026-53161

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply