1 |
From ddb90b8c0594b6f4fe72112e85492ba9f1f1956d Mon Sep 17 00:00:00 2001 |
2 |
From: Sasha Levin <sashal@kernel.org> |
3 |
Date: Thu, 18 Aug 2022 17:06:21 +0800 |
4 |
Subject: nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout |
5 |
|
6 |
From: Duoming Zhou <duoming@zju.edu.cn> |
7 |
|
8 |
[ Upstream commit f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6 ] |
9 |
|
10 |
When the pn532 uart device is detaching, the pn532_uart_remove() |
11 |
is called. But there are no functions in pn532_uart_remove() that |
12 |
could delete the cmd_timeout timer, which will cause use-after-free |
13 |
bugs. The process is shown below: |
14 |
|
15 |
(thread 1) | (thread 2) |
16 |
| pn532_uart_send_frame |
17 |
pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...) |
18 |
... | (wait a time) |
19 |
kfree(pn532) //FREE | pn532_cmd_timeout |
20 |
| pn532_uart_send_frame |
21 |
| pn532->... //USE |
22 |
|
23 |
This patch adds del_timer_sync() in pn532_uart_remove() in order to |
24 |
prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc() |
25 |
is well synchronized, it sets nfc_dev->shutting_down to true and there |
26 |
are no syscalls could restart the cmd_timeout timer. |
27 |
|
28 |
Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver") |
29 |
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> |
30 |
Signed-off-by: David S. Miller <davem@davemloft.net> |
31 |
Signed-off-by: Sasha Levin <sashal@kernel.org> |
32 |
--- |
33 |
drivers/nfc/pn533/uart.c | 1 + |
34 |
1 file changed, 1 insertion(+) |
35 |
|
36 |
diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c |
37 |
index 2caf997f9bc94..07596bf5f7d6d 100644 |
38 |
--- a/drivers/nfc/pn533/uart.c |
39 |
+++ b/drivers/nfc/pn533/uart.c |
40 |
@@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev) |
41 |
pn53x_unregister_nfc(pn532->priv); |
42 |
serdev_device_close(serdev); |
43 |
pn53x_common_clean(pn532->priv); |
44 |
+ del_timer_sync(&pn532->cmd_timeout); |
45 |
kfree_skb(pn532->recv_skb); |
46 |
kfree(pn532); |
47 |
} |
48 |
-- |
49 |
2.35.1 |
50 |
|