| Message ID | 1d34425a0ea8a553a66dcf4f22ca55cc920dbb42.1649913521.git.duoming@zju.edu.cn (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | Fix double free bugs and UAF bug in nfcmrvl module | expand |
Hello there,
Sorry here but actually I didn't "review" this patch but only offer some suggestions.
It seems that the current version of patch mainly focus on solving the data race. However, I'd prefer to make sure this function
> static void fw_dnld_over(struct nfcmrvl_private *priv, u32 error)
never be able to be called more than once. Maybe add some additional flag with lock is more appropriate.
Regards
Lin
diff --git a/drivers/nfc/nfcmrvl/fw_dnld.c b/drivers/nfc/nfcmrvl/fw_dnld.c index e83f65596a8..c22a4556db5 100644 --- a/drivers/nfc/nfcmrvl/fw_dnld.c +++ b/drivers/nfc/nfcmrvl/fw_dnld.c @@ -92,12 +92,14 @@ static struct sk_buff *alloc_lc_skb(struct nfcmrvl_private *priv, uint8_t plen) static void fw_dnld_over(struct nfcmrvl_private *priv, u32 error) { + spin_lock_irq(&priv->fw_dnld.lock); if (priv->fw_dnld.fw) { release_firmware(priv->fw_dnld.fw); priv->fw_dnld.fw = NULL; priv->fw_dnld.header = NULL; priv->fw_dnld.binary_config = NULL; } + spin_unlock_irq(&priv->fw_dnld.lock); atomic_set(&priv->ndev->cmd_cnt, 0); @@ -451,6 +453,7 @@ int nfcmrvl_fw_dnld_init(struct nfcmrvl_private *priv) if (!priv->fw_dnld.rx_wq) return -ENOMEM; skb_queue_head_init(&priv->fw_dnld.rx_q); + spin_lock_init(&priv->fw_dnld.lock); return 0; } diff --git a/drivers/nfc/nfcmrvl/fw_dnld.h b/drivers/nfc/nfcmrvl/fw_dnld.h index 7c4d91b0191..6974c307947 100644 --- a/drivers/nfc/nfcmrvl/fw_dnld.h +++ b/drivers/nfc/nfcmrvl/fw_dnld.h @@ -75,6 +75,8 @@ struct nfcmrvl_fw_dnld { struct sk_buff_head rx_q; struct timer_list timer; + /* To synchronize among different threads that call firmware.*/ + spinlock_t lock; }; int nfcmrvl_fw_dnld_init(struct nfcmrvl_private *priv);
There are potential double free bugs in nfcmrvl usb driver among fw_dnld_rx_work(), fw_dnld_timeout() and nfcmrvl_nci_unregister_dev(). All these three functions will call fw_dnld_over(). The fw_dnld_rx_work() is a work item, the fw_dnld_timeout() is a timer handler and the nfcmrvl_nci_unregister_dev() is called when nfcmrvl_nci device is detaching. So these three functions could execute concurrently. The race between fw_dnld_rx_work() and nfcmrvl_nci_unregister_dev() can be shown as below: (Thread 1) | (Thread 2) | fw_dnld_rx_work | fw_dnld_over | release_firmware | kfree(fw); //(1) nfcmrvl_disconnect | nfcmrvl_nci_unregister_dev | nfcmrvl_fw_dnld_abort | fw_dnld_over | ... if (priv->fw_dnld.fw) | release_firmware | kfree(fw); //(2) | ... | priv->fw_dnld.fw = NULL; When the fw_dnld_rx_work work item is executing, we detach the device. The release_firmware() will deallocate firmware in position (1), but firmware will be deallocated again in position (2), which leads to double free. The race between fw_dnld_rx_work() and fw_dnld_timeout() can be shown as below: (Thread 1) | (Thread 2) | fw_dnld_rx_work | fw_dnld_over | release_firmware | kfree(fw); //(1) fw_dnld_timeout | fw_dnld_over | ... if (priv->fw_dnld.fw) | release_firmware | kfree(fw); //(2) | ... | priv->fw_dnld.fw = NULL; The release_firmware() will deallocate firmware in position (1), but firmware will be deallocated again in position (2), which leads to double free. The race between fw_dnld_timeout() and nfcmrvl_nci_unregister_dev() can be shown as below. (Thread 1) | (Thread 2) | nfcmrvl_disconnect | nfcmrvl_nci_unregister_dev | nfcmrvl_fw_dnld_abort | fw_dnld_over | release_firmware | kfree(fw); //(1) fw_dnld_timeout | fw_dnld_over | ... if (priv->fw_dnld.fw) | release_firmware | kfree(fw); //(2) | ... | priv->fw_dnld.fw = NULL; The release_firmware() will deallocate firmware in position (1), but firmware will be deallocated again in position (2), which leads to double free. This patch adds spin_lock_irq in fw_dnld_over() in order to synchronize among different threads that call fw_dnld_over(). The priv->fw_dnld.fw will be set to NULL after work item is finished and fw_dnld_over() called by other threads will check whether priv->fw_dnld.fw is NULL. So the double free bug could be prevented. Fixes: 3194c6870158e3 ("NFC: nfcmrvl: add firmware download support") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Reviewed-by: Lin Ma <linma@zju.edu.cn> --- Changes in V3: - Make commit message more clearer. - Use spin_lock_irq to synchronize. drivers/nfc/nfcmrvl/fw_dnld.c | 3 +++ drivers/nfc/nfcmrvl/fw_dnld.h | 2 ++ 2 files changed, 5 insertions(+)