Received: by 2002:a05:6512:3d0e:0:0:0:0 with SMTP id d14csp869998lfv;
        Tue, 12 Apr 2022 07:33:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxP8tY3Dy0HHWVh9oygC0gA4TmS++QXT/68+lY3V9zwOs1fhxmI5trEjvkgNFDPopAzt6dR
X-Received: by 2002:a05:6870:4789:b0:dd:e6e0:2471 with SMTP id c9-20020a056870478900b000dde6e02471mr2221092oaq.195.1649773989883;
        Tue, 12 Apr 2022 07:33:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649773989; cv=none;
        d=google.com; s=arc-20160816;
        b=v/CaLGGaonEmx/rhSHGfvkIsIWxCF3+h7w4r153hVX637ACKwufdtkyvkLPiqiHbn+
         8VNeYQAg6GVOgt309/c8XOYZgPDQOgrzxRFincUBzfdW1piVuxiTEjIorlgm+xmoGTp1
         ZzU5vgolKqviZKznLsWFQOUX1f3FfVah1Mx5oZfl01J5/aIf9wWYaR6q6pbqS1TNpyIj
         wPmp7eFQ2qKtTtHj9QYOJuqfKOUUe30r/nYb2O9PV0lo09DdlEwo693Q415iNUpZTxCl
         Z0kInQP9XEvYDU05jY7PXCvFLiIPby+kOEmzRYboHukwr8uUE5wUKmBPPH1f6Rb5VKCE
         YW2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=oFKBsiAftNtcDTKon29jrJD65o2c0ecsHBeps8NGDus=;
        b=Q+RpLLfohRvn5iMt1HmH21LBGQ5fqeVFcUxxatCJ7yfc4SsXPYnmG7IVC3cBTRwz6p
         6TUVmZv0HegWLeI6enqBM5ydyLANx5SfapHs8bFvQNHs78pco1a5XiG9q+brCiKLtKFe
         Mig1bra55FCUXMfeX2BPr0zDeTmPexRkZABJN3ma8/Gh+NaxMVF5TxRhsHeVgHCtdb0R
         UdqjcFhDRPrTzqf9GWlEX2Kw9PAWBzgPRdPVm/2ENe+sDDME9JlAyGZT7FfsTB1/TuPG
         4UEQ/hwerih9sQBE4MCWc/ZB0ONf+b7S40kKxn5j7tV08Jdati59g+3N9a6jeUeZBYpv
         msIA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id bj27-20020a056808199b00b002ef0c3475aasi7632094oib.42.2022.04.12.07.32.54;
        Tue, 12 Apr 2022 07:33:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239436AbiDJNyo (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Sun, 10 Apr 2022 09:54:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55922 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239197AbiDJNyk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 10 Apr 2022 09:54:40 -0400
Received: from zju.edu.cn (mail.zju.edu.cn [61.164.42.155])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id CA50C55BFB;
        Sun, 10 Apr 2022 06:52:27 -0700 (PDT)
Received: from ubuntu.localdomain (unknown [10.15.192.164])
        by mail-app4 (Coremail) with SMTP id cS_KCgA3OfAN4VJixPAGAQ--.13621S2;
        Sun, 10 Apr 2022 21:52:17 +0800 (CST)
From:   Duoming Zhou <duoming@zju.edu.cn>
To:     krzk@kernel.org, linux-kernel@vger.kernel.org
Cc:     netdev@vger.kernel.org, akpm@linux-foundation.org,
        davem@davemloft.net, gregkh@linuxfoundation.org,
        alexander.deucher@amd.com, broonie@kernel.org,
        Duoming Zhou <duoming@zju.edu.cn>
Subject: [PATCH V2] drivers: nfc: nfcmrvl: fix double free bug in nfcmrvl_nci_unregister_dev()
Date:   Sun, 10 Apr 2022 21:52:14 +0800
Message-Id: <20220410135214.74216-1-duoming@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: cS_KCgA3OfAN4VJixPAGAQ--.13621S2
X-Coremail-Antispam: 1UD129KBjvJXoW7KFy7XF17GFWkKw17ArWfuFg_yoW8ZFWrpF
        45WF1rAw1qkr4YqFsYyrsrtF98Ca13GFyUGFZxJ3s3Zrn0vFW0ywnFyryrXr1qqrW8JayY
        kwnxAa4UuF4vyFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUUka1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE
        w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2
        IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2
        z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcV
        Aq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j
        6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64
        vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxAIw28IcxkI7VAKI48JMxAIw28IcVCjz48v
        1sIEY20_GFWkJr1UJwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r
        18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vI
        r41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr
        1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvE
        x4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUdHUDUUUUU=
X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAgkQAVZdtZHYlwANs3
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
        SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

There is a potential double bug in nfcmrvl usb driver between
unregister and resume operation.

The race that cause that double free bug can be shown as below:

   (FREE)                   |      (USE)
                            | nfcmrvl_resume
                            |  nfcmrvl_submit_bulk_urb
                            |   nfcmrvl_bulk_complete
                            |    nfcmrvl_nci_recv_frame
                            |     nfcmrvl_fw_dnld_recv_frame
                            |      queue_work
                            |       fw_dnld_rx_work
                            |        fw_dnld_over
                            |         release_firmware
                            |          kfree(fw); //(1)
nfcmrvl_disconnect          |
 nfcmrvl_nci_unregister_dev |
  nfcmrvl_fw_dnld_abort     |
   fw_dnld_over             |         ...
    if (priv->fw_dnld.fw)   |
    release_firmware        |
     kfree(fw); //(2)       |
     ...                    |         priv->fw_dnld.fw = NULL;

When nfcmrvl usb driver is resuming, we detach the device.
The release_firmware() will deallocate firmware in position (1),
but firmware will be deallocated again in position (2), which
leads to double free.

This patch reorders nfcmrvl_fw_dnld_deinit() before nfcmrvl_fw_dnld_abort()
in order to prevent double free bug. Because destroy_workqueue() will
not return until all work items are finished. The priv->fw_dnld.fw will
be set to NULL after work items are finished and fw_dnld_over() called by
nfcmrvl_nci_unregister_dev() will check whether priv->fw_dnld.fw is NULL.
So the double free bug could be prevented.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
Changes in V2:
  - Make commit message more clearer.

 drivers/nfc/nfcmrvl/main.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/nfc/nfcmrvl/main.c b/drivers/nfc/nfcmrvl/main.c
index 2fcf545012b..d8342271f50 100644
--- a/drivers/nfc/nfcmrvl/main.c
+++ b/drivers/nfc/nfcmrvl/main.c
@@ -183,11 +183,10 @@ void nfcmrvl_nci_unregister_dev(struct nfcmrvl_private *priv)
 {
 	struct nci_dev *ndev = priv->ndev;
 
+	nfcmrvl_fw_dnld_deinit(priv);
 	if (priv->ndev->nfc_dev->fw_download_in_progress)
 		nfcmrvl_fw_dnld_abort(priv);
 
-	nfcmrvl_fw_dnld_deinit(priv);
-
 	if (gpio_is_valid(priv->config.reset_n_io))
 		gpio_free(priv->config.reset_n_io);
 
-- 
2.17.1