CVE-2022-48759 in Linuxinfo

Summary

by MITRE • 06/20/2024

In the Linux kernel, the following vulnerability has been resolved:

rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev

struct rpmsg_ctrldev contains a struct cdev. The current code frees the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the cdev is a managed object, therefore its release is not predictable and the rpmsg_ctrldev could be freed before the cdev is entirely released, as in the backtrace below.

[ 93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c
[ 93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0
[ 93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v
[ 93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.4.163-lockdep #26
[ 93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)
[ 93.730055] Workqueue: events kobject_delayed_cleanup
[ 93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)
[ 93.740216] pc : debug_print_object+0x13c/0x1b0
[ 93.744890] lr : debug_print_object+0x13c/0x1b0
[ 93.749555] sp : ffffffacf5bc7940
[ 93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000
[ 93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000
[ 93.763916] x25: ffffffd0734f856c x24: dfffffd000000000
[ 93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0
[ 93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0
[ 93.780338] x19: ffffffd075199100 x18: 00000000000276e0
[ 93.785814] x17: 0000000000000000 x16: dfffffd000000000
[ 93.791291] x15: ffffffffffffffff x14: 6e6968207473696c
[ 93.796768] x13: 0000000000000000 x12: ffffffd075e2b000
[ 93.802244] x11: 0000000000000001 x10: 0000000000000000
[ 93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900
[ 93.813200] x7 : 0000000000000000 x6 : 0000000000000000
[ 93.818676] x5 : 0000000000000080 x4 : 0000000000000000
[ 93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001
[ 93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061
[ 93.835104] Call trace:
[ 93.837644] debug_print_object+0x13c/0x1b0
[ 93.841963] __debug_check_no_obj_freed+0x25c/0x3c0
[ 93.846987] debug_check_no_obj_freed+0x18/0x20
[ 93.851669] slab_free_freelist_hook+0xbc/0x1e4
[ 93.856346] kfree+0xfc/0x2f4
[ 93.859416] rpmsg_ctrldev_release_device+0x78/0xb8
[ 93.864445] device_release+0x84/0x168
[ 93.868310] kobject_cleanup+0x12c/0x298
[ 93.872356] kobject_delayed_cleanup+0x10/0x18
[ 93.876948] process_one_work+0x578/0x92c
[ 93.881086] worker_thread+0x804/0xcf8
[ 93.884963] kthread+0x2a8/0x314
[ 93.888303] ret_from_fork+0x10/0x18

The cdev_device_add/del() API was created to address this issue (see commit '233ed09d7fda ("chardev: add helper function to register char devs with a struct device")'), use it instead of cdev add/del().

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/17/2025

The vulnerability identified as CVE-2022-48759 resides within the Linux kernel's rpmsg character device subsystem, specifically affecting the synchronization between the release of rpmsg control device structures and their associated character device objects. This flaw manifests as a race condition that can lead to system instability and potential security implications. The rpmsg_ctrldev structure contains a struct cdev, which is a managed kernel object whose lifecycle is handled through specific registration and cleanup mechanisms. When the rpmsg_ctrldev_release_device() function attempts to free the rpmsg_ctrldev structure, it does so before the cdev object has completed its own release process, creating a temporal window where memory access violations can occur.

The technical nature of this vulnerability stems from improper object lifecycle management within the kernel's device model. The kernel's debug objects framework detects this issue through the ODEBUG subsystem, which tracks active objects and flags when memory is freed while objects are still in use. The stack trace reveals that the error occurs during the kobject_delayed_cleanup workqueue execution, where debug_print_object is called to validate object states. This validation fails because the rpmsg_ctrldev structure has been freed while the underlying cdev timer_list object remains active, causing a kernel warning and potential system crash. The root cause lies in the direct use of cdev_del() and cdev_add() functions instead of the newer cdev_device_add() and cdev_device_del() helpers that properly coordinate the lifecycle of character device objects with their parent device structures.

This vulnerability impacts the stability and reliability of systems that utilize remote processor messaging (rpmsg) functionality, particularly those running kernel versions that include the affected code path. The race condition can result in kernel oops, memory corruption, or system crashes during device removal or system shutdown scenarios. From an operational standpoint, this represents a denial-of-service condition that could be exploited by malicious actors to destabilize systems running vulnerable kernel versions. The issue affects embedded systems and mobile platforms that rely heavily on rpmsg for communication between application processors and remote processors, such as modem or audio subsystems.

The recommended mitigation involves upgrading to a kernel version that includes the fix, which implements the cdev_device_add() and cdev_device_del() API functions instead of the older cdev_add() and cdev_del() approaches. This change ensures proper synchronization between the character device and its parent device lifecycle management, preventing the premature freeing of memory structures. Additionally, system administrators should monitor for kernel updates and ensure that all devices utilizing rpmsg functionality are running patched kernel versions. The fix aligns with best practices for kernel object management and follows the principles outlined in CWE-362, which addresses race conditions in concurrent programming. This vulnerability also relates to ATT&CK technique T1490, which involves data destruction through system instability, as the race condition can lead to system crashes that disrupt normal operations. Organizations should prioritize patching this vulnerability, particularly in mission-critical systems where reliability is paramount, and implement monitoring to detect potential exploitation attempts.

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!