CVE-2022-50421

So need to avoid destroying the default endpoint in rpmsgchrdeveptdevdestroy(), this should be the same as rpmsgeptdev_release(). Otherwise there will be double destroy issue that ept->refcount report warning:

refcount_t: underflow; use-after-free.

Call trace: refcountwarnsaturate+0xf8/0x150 virtiorpmsgdestroyept+0xd4/0xec rpmsgdev_remove+0x60/0x70

The issue can be reproduced by stopping remoteproc before closing the /dev/rpmsgX.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

bea9b79c2d10fecf7bfa26e212ecefe61d232e39

Fixed

ef828a39d6a7028836eaf37df3ad568c8c2dd6f9

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

bea9b79c2d10fecf7bfa26e212ecefe61d232e39

Fixed

3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

bea9b79c2d10fecf7bfa26e212ecefe61d232e39

Fixed

467233a4ac29b215d492843d067a9f091e6bf0c5

Affected versions

v5.*

v5.17

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v5.19.1

v5.19.10

v5.19.11

v5.19.12

v5.19.13

v5.19.14

v5.19.15

v5.19.16

v5.19.2

v5.19.3

v5.19.4

v5.19.5

v5.19.6

v5.19.7

v5.19.8

v5.19.9

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.0.1

v6.0.2

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.18.0

Fixed

5.19.17

Type: ECOSYSTEM
Events: Introduced

5.20.0

Fixed

6.0.3