* [PATCH net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
@ 2022-08-18 9:06 Duoming Zhou
2022-08-22 14:00 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Duoming Zhou @ 2022-08-18 9:06 UTC (permalink / raw)
To: netdev, krzysztof.kozlowski, linux-kernel
Cc: davem, gregkh, alexander.deucher, broonie, kuba, Duoming Zhou
When the pn532 uart device is detaching, the pn532_uart_remove()
is called. But there are no functions in pn532_uart_remove() that
could delete the cmd_timeout timer, which will cause use-after-free
bugs. The process is shown below:
(thread 1) | (thread 2)
| pn532_uart_send_frame
pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...)
... | (wait a time)
kfree(pn532) //FREE | pn532_cmd_timeout
| pn532_uart_send_frame
| pn532->... //USE
This patch adds del_timer_sync() in pn532_uart_remove() in order to
prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc()
is well synchronized, it sets nfc_dev->shutting_down to true and there
are no syscalls could restart the cmd_timeout timer.
Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
drivers/nfc/pn533/uart.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
index 2caf997f9bc..07596bf5f7d 100644
--- a/drivers/nfc/pn533/uart.c
+++ b/drivers/nfc/pn533/uart.c
@@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev)
pn53x_unregister_nfc(pn532->priv);
serdev_device_close(serdev);
pn53x_common_clean(pn532->priv);
+ del_timer_sync(&pn532->cmd_timeout);
kfree_skb(pn532->recv_skb);
kfree(pn532);
}
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
2022-08-18 9:06 [PATCH net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout Duoming Zhou
@ 2022-08-22 14:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-08-22 14:00 UTC (permalink / raw)
To: Duoming Zhou
Cc: netdev, krzysztof.kozlowski, linux-kernel, davem, gregkh,
alexander.deucher, broonie, kuba
Hello:
This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:
On Thu, 18 Aug 2022 17:06:21 +0800 you wrote:
> When the pn532 uart device is detaching, the pn532_uart_remove()
> is called. But there are no functions in pn532_uart_remove() that
> could delete the cmd_timeout timer, which will cause use-after-free
> bugs. The process is shown below:
>
> (thread 1) | (thread 2)
> | pn532_uart_send_frame
> pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...)
> ... | (wait a time)
> kfree(pn532) //FREE | pn532_cmd_timeout
> | pn532_uart_send_frame
> | pn532->... //USE
>
> [...]
Here is the summary with links:
- [net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
https://git.kernel.org/netdev/net/c/f1e941dbf80a
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-08-22 14:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-18 9:06 [PATCH net] nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout Duoming Zhou
2022-08-22 14:00 ` patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.