On Tue, 19 May 2026 02:05:07 +0530, Anandu Krishnan E wrote:
> There is a race between fastrpc_device_release() and the workqueue
> that processes DSP responses. When the user closes the file descriptor,
> fastrpc_device_release() frees the fastrpc_user structure. Concurrently,
> an in-flight DSP invocation can complete and fastrpc_rpmsg_callback()
> schedules context cleanup via schedule_work(&ctx->put_work). If the
> workqueue runs fastrpc_context_free() in parallel with or after
> fastrpc_device_release() has freed the user structure, it dereferences
> the freed fastrpc_user. Depending on the state of the context at the
> time of the race, any one of the following accesses can be hit:
>
> [...]
Applied, thanks!
[1/1] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
commit: b01bf21ae7e7c4c7cd4f1c8419bafc1e04c008e4
Best regards,
--
Srinivas Kandagatla <[email protected]>
