CVE-2024-50150

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: altmode should keep reference to parent

The altmode device release refers to its parent device, but without keeping a reference to it.

When registering the altmode, get a reference to the parent and put it in the release function.

Before this fix, when using CONFIGDEBUGKOBJECT_RELEASE, we see issues like this:

[ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobjectrelease, parent 0000000000000000 (delayed 3000) [ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobjectrelease, parent 0000000000000000 (delayed 1000) [ 43.574407] kobject: 'port0' (ffff8880057b9008): kobjectrelease, parent 0000000000000000 (delayed 3000) [ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobjectrelease, parent 0000000000000000 (delayed 4000) [ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobjectrelease, parent 0000000000000000 (delayed 4000) [ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobjectrelease, parent 0000000000000000 (delayed 4000) [ 43.577769] kobject: 'port1' (ffff8880057bf008): kobjectrelease, parent 0000000000000000 (delayed 3000) [ 46.612867] ================================================================== [ 46.613402] BUG: KASAN: slab-use-after-free in typecaltmoderelease+0x38/0x129 [ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48 [ 46.614538] [ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535 [ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 46.616042] Workqueue: events kobjectdelayedcleanup [ 46.616446] Call Trace: [ 46.616648] <TASK> [ 46.616820] dumpstacklvl+0x5b/0x7c [ 46.617112] ? typecaltmoderelease+0x38/0x129 [ 46.617470] printreport+0x14c/0x49e [ 46.617769] ? rcureadunlock_sched+0x56/0x69 [ 46.618117] ? __virtaddrvalid+0x19a/0x1ab [ 46.618456] ? kmemcachedebugflags+0xc/0x1d [ 46.618807] ? typecaltmoderelease+0x38/0x129 [ 46.619161] kasanreport+0x8d/0xb4 [ 46.619447] ? typecaltmoderelease+0x38/0x129 [ 46.619809] ? processscheduledworks+0x3cb/0x85f [ 46.620185] typecaltmoderelease+0x38/0x129 [ 46.620537] ? processscheduledworks+0x3cb/0x85f [ 46.620907] devicerelease+0xaf/0xf2 [ 46.621206] kobjectdelayedcleanup+0x13b/0x17a [ 46.621584] processscheduled_works+0x4f6/0x85f [ 46.621955] ? __pfxprocessscheduledworks+0x10/0x10 [ 46.622353] ? hlockclass+0x31/0x9a [ 46.622647] ? lockacquired+0x361/0x3c3 [ 46.622956] ? movelinkedworks+0x46/0x7d [ 46.623277] workerthread+0x1ce/0x291 [ 46.623582] ? __kthread_parkme+0xc8/0xdf [ 46.623900] ? __pfxworkerthread+0x10/0x10 [ 46.624236] kthread+0x17e/0x190 [ 46.624501] ? kthread+0xfb/0x190 [ 46.624756] ? __pfxkthread+0x10/0x10 [ 46.625015] retfrom_fork+0x20/0x40 [ 46.625268] ? __pfxkthread+0x10/0x10 [ 46.625532] retfromforkasm+0x1a/0x30 [ 46.625805] </TASK> [ 46.625953] [ 46.626056] Allocated by task 678: [ 46.626287] kasansavestack+0x24/0x44 [ 46.626555] kasansavetrack+0x14/0x2d [ 46.626811] __kasan_kmalloc+0x3f/0x4d [ 46.627049] __kmallocnoprof+0x1bf/0x1f0 [ 46.627362] typecregisterport+0x23/0x491 [ 46.627698] crostypecprobe+0x634/0xbb6 [ 46.628026] platformprobe+0x47/0x8c [ 46.628311] reallyprobe+0x20a/0x47d [ 46.628605] devicedriverattach+0x39/0x72 [ 46.628940] bindstore+0x87/0xd7 [ 46.629213] kernfsfopwriteiter+0x1aa/0x218 [ 46.629574] vfswrite+0x1d6/0x29b [ 46.629856] ksyswrite+0xcd/0x13b [ 46.630128] dosyscall64+0xd4/0x139 [ 46.630420] entrySYSCALL64afterhwframe+0x76/0x7e [ 46.630820] [ 46.630946] Freed by task 48: [ 46.631182] kasansavestack+0x24/0x44 [ 46.631493] kasansavetrack+0x14/0x2d [ 46.631799] kasansavefreeinfo+0x3f/0x4d [ 46.632144] __kasanslabfree+0x37/0x45 [ 46.632474] ---truncated---