Android qrtr_bpf_filter_detach Double-Free / Use-After-Free

There appears to be some (possibly deprecated) code associated with AF_QIPCRTR sockets in bpf_service.c. Within this file are some ioctl handlers - e.g. qrtr_bpf_filter_attach and qrtr_bpf_filter_detach.In the case of qrtr_bpf_filter_detach, the global pointer bpf_filter is fetched and freed while only holding a socket lock (and an irrelevant rcu_read_lock) - this may lead directly to double frees or UAF (kernel memory corruption) if a malicious user is able to call the QRTR_DETTACH_BPF ioctl on multiple AF_QIPCRTR sockets at once. Based on Android SELinux files, it appears this may be possible from some lower-privileged vendor and HAL services.As we don't have a device (nor see any examples of existing Android devices) containing the necessary kernel configuration (CONFIG_QRTR_BPF_FILTER), we are presently unable to reproduce a crash for this bug. If you're aware of this option being enabled on any production kernels, I would be interested to know!This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-09-22.For more details, see the Project Zero vulnerability disclosure policy:https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlNOTE:This was originally reported as a non-security issue on June 17th, however Qualcomm has confirmed that there are affected devices and that they consider this a security issue, so adding this to the tracker.Related CVE Number: CVE-2024-38401.