Linux Kernel Zynq IPI Mailbox Controller Error Handling Vulnerability

A vulnerability in the Linux kernel's Zynq IPI mailbox controller has been addressed. The issue arose when the device_register() function failed, leading to two problems: first, a name leak from the dev_set_name() function, and second, a potential kernel crash. The crash occurred because the device's parent was not NULL, causing the device_unregister() function to remove a device that had not been properly added. To resolve this, the put_device() function was called to release the reference, allowing the name to be freed during the kobject_cleanup() process. Additionally, a check was introduced in the zynqmp_ipi_free_mboxes() function to prevent null pointer dereferences.

Impact

Failure to properly handle device registration errors could lead to a kernel crash by attempting to unregister a device that was not correctly registered.

Reproduction

The vulnerability can be reproduced by triggering a failure in the device_register() function within the Zynq IPI mailbox controller. This can be done by modifying the driver's probe function to simulate a registration failure, which will cause the error handling issues to manifest. The improper error handling can be observed by monitoring the system for a kernel crash resulting from the faulty device management.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.