Linux Kernel Use-After-Free Vulnerability in OPP Tables

A use-after-free vulnerability has been identified in the Linux kernel's handling of operating performance points (OPP) tables. This issue arises in versions of the kernel that utilize required OPPs, specifically within the OPP framework's interconnect management. When the function 'dev_pm_opp_of_find_icc_paths()' encounters a probe deferral, the OPP table is freed to await the availability of all interconnect paths. However, if the OPP table is linked to required OPPs, it may have already been added to the global 'lazy_opp_tables' list. The current error handling does not remove the OPP table from this list, leading to potential crashes when the required OPP provider is later added. This oversight causes the system to attempt to access OPP tables that have already been freed, resulting in a null pointer dereference error. The vulnerability has been addressed by improving the error handling to properly clear and manage the OPP tables, including adding missing mutex destruction calls to prevent resource leaks.

Impact

Exploitation of this vulnerability can lead to kernel crashes due to null pointer dereference errors, caused by accessing freed OPP table resources that are no longer valid.

Reproduction

The vulnerability can be reproduced by creating an OPP table that uses required OPPs and adding it to the 'lazy_opp_tables' list. Then, induce a probe deferral in the 'dev_pm_opp_of_find_icc_paths()' function, which will free the OPP table but not remove it from the 'lazy_opp_tables' list. Once the required OPP provider is added, the system will crash while iterating over the invalid OPP table, triggering a null pointer dereference error.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.