From 223088d84716483a6e7b18a69341a6bfb1cb60cb Mon Sep 17 00:00:00 2001
From: wangjianyu3 <wangjianyu3@xiaomi.com>
Date: Fri, 27 Sep 2024 17:16:14 +0800
Subject: [PATCH] misc/rpmsgdev: The private data should be freed only when
 endpoint is released

A use-after-free problem occurs when there are multiple remotes in the list `g_rpmsg` and the matching remote is not the last item in the list.

Log
  # Export the device "/dev/LOCAL_DEV" to remote "REMOTE_CPU"
  ap> testdev -d 2 -c "REMOTE_CPU" -l "/dev/LOCAL_DEV"
  [ap] kasan_report: kasan detected a read access error, address at 0x3c3d4740,size is 4, return address: 0x2c33620f
  [ap] kasan_show_memory: Shadow bytes around the buggy address:
  [ap] kasan_show_memory:   0x3c3d46f0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
  [ap] kasan_show_memory:   0x3c3d4700: aa aa aa aa cc cc cc cc cc cc cc cc cc cc cc cc
  [ap] kasan_show_memory:   0x3c3d4710: 40 47 3d 3c ed 61 33 2c 00 00 00 00 00 00 00 00
  [ap] kasan_show_memory:   0x3c3d4720: 00 00 00 00 00 00 00 00 00 00 00 00 cc cc cc cc
  [ap] kasan_show_memory:   0x3c3d4730: 55 55 55 55 38 00 00 00 02 2c 00 00 cc cc cc cc
  [ap] kasan_show_memory:   0x3c3d4740:[00 00 00 00]66 e0 42 3c cc cc cc cc cc cc cc cc
  [ap] kasan_show_memory:   0x3c3d4750: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
  [ap] kasan_show_memory:   0x3c3d4760: aa aa aa aa 38 00 00 00 01 2c 00 00 cc cc cc cc
  [ap] kasan_show_memory:   0x3c3d4770: 50 57 44 3d 2f 00 cc cc cc cc cc cc cc cc cc cc
  [ap] kasan_show_memory:   0x3c3d4780: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
  [ap] dump_assert_info: Current Version: NuttX ****** ***** *** 12.3.0 **********-***** *** ** 2024 **:**:** arm
  [ap] dump_assert_info: Assertion failed panic: at file: kasan/hook.c:187 task: testdev process: testdev 0x2ca20495

  $ addr2line -fe nuttx/nuttx 0x2c33620f
  rpmsgdev_server_created
  /workspace/nuttx/drivers/misc/rpmsgdev_server.c:529
  # Line 529 => strcmp()

Signed-off-by: wangjianyu3 <wangjianyu3@xiaomi.com>
---
 drivers/misc/rpmsgdev_server.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/rpmsgdev_server.c b/drivers/misc/rpmsgdev_server.c
index 57bcc5a60a..d3595a7fe0 100644
--- a/drivers/misc/rpmsgdev_server.c
+++ b/drivers/misc/rpmsgdev_server.c
@@ -66,6 +66,7 @@ struct rpmsgdev_server_s
                                 * operation
                                 */
   struct work_s         work;  /* Poll notify work */
+  FAR void             *priv;
 };
 
 struct rpmsgdev_export_s
@@ -454,6 +455,12 @@ static void rpmsgdev_ept_release(FAR struct rpmsg_endpoint *ept)
 
   nxmutex_unlock(&server->lock);
 
+  if (server->priv)
+    {
+      kmm_free(server->priv);
+      server->priv = NULL;
+    }
+
   kmm_free(server);
 }
 
@@ -476,6 +483,7 @@ static void rpmsgdev_ns_bind(FAR struct rpmsg_device *rdev,
 
   list_initialize(&server->head);
   nxmutex_init(&server->lock);
+  server->priv = priv;
   server->ept.priv = server;
   server->ept.release_cb = rpmsgdev_ept_release;
 
@@ -518,14 +526,13 @@ static void rpmsgdev_server_created(FAR struct rpmsg_device *rdev,
     {
       snprintf(buf, sizeof(buf), "%s%s", RPMSGDEV_NAME_PREFIX,
                priv->localpath);
-      rpmsgdev_ns_bind(rdev, NULL, buf, RPMSG_ADDR_ANY);
+      rpmsgdev_ns_bind(rdev, priv, buf, RPMSG_ADDR_ANY);
 
       rpmsg_unregister_callback(priv,
                                 rpmsgdev_server_created,
                                 NULL,
                                 NULL,
                                 NULL);
-      kmm_free(priv);
     }
 }