diff mbox series

[net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout

Message ID 20220818090621.106094-1-duoming@zju.edu.cn (mailing list archive)
State Accepted
Commit f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6
Delegated to: Netdev Maintainers
Headers show
Series [net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 85 this patch: 85
netdev/cc_maintainers fail 1 blamed authors not CCed: poeschel@lemonage.de; 2 maintainers not CCed: rikard.falkeborn@gmail.com poeschel@lemonage.de
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 85 this patch: 85
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Duoming Zhou Aug. 18, 2022, 9:06 a.m. UTC 
When the pn532 uart device is detaching, the pn532_uart_remove()
is called. But there are no functions in pn532_uart_remove() that
could delete the cmd_timeout timer, which will cause use-after-free
bugs. The process is shown below:

    (thread 1)                  |        (thread 2)
                                |  pn532_uart_send_frame
pn532_uart_remove               |    mod_timer(&pn532->cmd_timeout,...)
  ...                           |    (wait a time)
  kfree(pn532) //FREE           |    pn532_cmd_timeout
                                |      pn532_uart_send_frame
                                |        pn532->... //USE

This patch adds del_timer_sync() in pn532_uart_remove() in order to
prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc()
is well synchronized, it sets nfc_dev->shutting_down to true and there
are no syscalls could restart the cmd_timeout timer.

Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
 drivers/nfc/pn533/uart.c | 1 +
 1 file changed, 1 insertion(+)

Comments

patchwork-bot+netdevbpf@kernel.org Aug. 22, 2022, 2 p.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Thu, 18 Aug 2022 17:06:21 +0800 you wrote:
> When the pn532 uart device is detaching, the pn532_uart_remove()
> is called. But there are no functions in pn532_uart_remove() that
> could delete the cmd_timeout timer, which will cause use-after-free
> bugs. The process is shown below:
> 
>     (thread 1)                  |        (thread 2)
>                                 |  pn532_uart_send_frame
> pn532_uart_remove               |    mod_timer(&pn532->cmd_timeout,...)
>   ...                           |    (wait a time)
>   kfree(pn532) //FREE           |    pn532_cmd_timeout
>                                 |      pn532_uart_send_frame
>                                 |        pn532->... //USE
> 
> [...]

Here is the summary with links:
  - [net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
    https://git.kernel.org/netdev/net/c/f1e941dbf80a

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
index 2caf997f9bc..07596bf5f7d 100644
--- a/drivers/nfc/pn533/uart.c
+++ b/drivers/nfc/pn533/uart.c
@@ -310,6 +310,7 @@  static void pn532_uart_remove(struct serdev_device *serdev)
 	pn53x_unregister_nfc(pn532->priv);
 	serdev_device_close(serdev);
 	pn53x_common_clean(pn532->priv);
+	del_timer_sync(&pn532->cmd_timeout);
 	kfree_skb(pn532->recv_skb);
 	kfree(pn532);
 }