skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
November 18, 2021

GHSL-2021-1029: Use-after-free (UaF) in Qualcomm npu driver - CVE-2021-1940

Man Yue Mo

Coordinated Disclosure Timeline


Use-after-free in Qualcomm npu driver


msm kernel

Tested Version

Samsung Galaxy A71: SM-A715F/DS AP: A715FXXU3ATJ2 and CP: A715FXXU3ATI5, Kernel version 4.14.117-19828683 and build ID QP1A.190711.020.A715FXXU3ATJ2


When executing a network with the async option, the ioctl will exit immediately after a message is posted to the npu [1], while the npu executes the network. When the execution is completed, the npu will notify the host by sending a NPU_IPC_MSG_EXECUTE_DONE event. The event handler of the driver will then pass network->client to npu_queue_event [2].

If the file associated with client is close (the one comes from open("/dev/msm_npu")) then npu_close will be called [3]. This will first call npu_host_cleanup_networks [4], which will try to call npu_host_unload_network to unload the networks that are associated with the client and clear out network->client. However, as the network is still executing, the call will end up with a -EBUSY error [5], which will skip the cleaning up of the network. npu_close will then progress to free the client [6], which will then leave a dangling pointer in network->client, and causes use-after-free when the execution completed and the driver uses network->client in npu_queue_event mentioned above.




Can be exploited to gain arbitrary kernel code execution from the untrusted app domain.


This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).


You can contact the GHSL team at, please include the GHSL-YEAR-ID in any communication regarding this issue.