Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp595112pxb; Tue, 12 Apr 2022 08:50:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJybC0MDVZLRKFv54xTBZlfDrBWcp5SVzv2+MOrHSCzAK5FNf7+jZ6e6CVi+NjVaoqtCBvM5 X-Received: by 2002:a05:6a00:1988:b0:4fa:c15d:190d with SMTP id d8-20020a056a00198800b004fac15d190dmr37883066pfl.44.1649778614228; Tue, 12 Apr 2022 08:50:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649778614; cv=none; d=google.com; s=arc-20160816; b=FpmmuGAf+zfjfhE3Twgnh8UDoU9ldXwf8W1q6HXqtDDjmd5lrixdwLQRDWD7NlPdg8 6wDNVDSfNoeNYlg5qwfdjOZG5xSFpEkmk/LuTz0Hzy9Yea8fwJxrScQsA38Jp9bPu436 fL0Yxjd1JSVyk+YHs4BmruphLmNJfaZ3Xek/Jleev3RE/2wA+gPdQMImOYntWm4/O3mp x3cVAzQU4j06mmi0vmWKJm+s36yBCS9YJkYYmabaHEp/fDS1KG/X31MqmdFDKz0aD6cn xc3Qius4tjDf+8y6xHooScVC7DTMlWRKnhD6/0FL+ZadN6D9na1CL8KfEKqPuLghmu81 usMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=jo6zIIWQzM2QMJLdjo2d8Am+fPrVkGpUW5tVaJtDelg=; b=YyjUHB9WSG2bh5MR274tyvWLXs5ydqM7Sged+xLkyihxIeb1E/EfYoFlAQFEYUcbr1 NaR71pB0LVdkFb9AxmwAfbEounCpVGwUaCuFEC8s0eaxJFKLJG3d+og9XzgaHjz6Ksqa diBgCmgzc4hhPykJedSegMrDyTLz9DEt3KWiRGBKYSoX17NGtFEF6PpYi3uqM6035oqp 7f6IVNh1VkgnA7l4mt4t8i5fXqpGqvlNxTjWVxKN7BM2lIrYTxUEZi8JO8D5agTbky9y 32gq4O86u4ziaO+kvNl0OqwmP2ivPF6VyXjX+wu4DmqgetWMeXuW2YeH9i97Kbz2IzGj RKPQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q20-20020a056a00151400b004fa3a8e0015si12501290pfu.204.2022.04.12.08.49.59; Tue, 12 Apr 2022 08:50:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229630AbiDIOBV (ORCPT + 99 others); Sat, 9 Apr 2022 10:01:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49984 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236016AbiDIOBT (ORCPT ); Sat, 9 Apr 2022 10:01:19 -0400 Received: from zju.edu.cn (spam.zju.edu.cn [61.164.42.155]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BD1B7E0AA; Sat, 9 Apr 2022 06:59:10 -0700 (PDT) Received: from ubuntu.localdomain (unknown [10.15.192.164]) by mail-app2 (Coremail) with SMTP id by_KCgDnFMUekVFiXCpqAQ--.46320S2; Sat, 09 Apr 2022 21:58:58 +0800 (CST) From: Duoming Zhou To: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org, alexander.deucher@amd.com, gregkh@linuxfoundation.org, davem@davemloft.net, krzk@kernel.org, Duoming Zhou Subject: [PATCH] drivers: nfc: nfcmrvl: fix UAF bug in nfcmrvl_nci_unregister_dev() Date: Sat, 9 Apr 2022 21:58:54 +0800 Message-Id: <20220409135854.33333-1-duoming@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: by_KCgDnFMUekVFiXCpqAQ--.46320S2 X-Coremail-Antispam: 1UD129KBjvJXoW7KFyxXr1ruw1fuFWrur43Awb_yoW8Wry5pa 15WFy0kw1kKFW5XF4rJFnxta45Wa13C34UWFZxJ3s29wn0qFW0yrnFya48XryUJrWUJFWF krsxAa4UuF4vyF7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUka1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2 z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2AIxVAIcxkEcV Aq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r10 6r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64 vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7MxAIw28IcxkI7VAKI48JMxAIw28IcVCjz48v 1sIEY20_GFWkJr1UJwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r 18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1lIxkGc2Ij64vI r41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Jr0_Gr 1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvE x4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUZa9-UUUUU= X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAgIPAVZdtZG3xwAgsx X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There is a potential UAF bug in nfcmrvl usb driver between unregister and resume operation. The race that cause that UAF can be shown as below: (FREE) | (USE) | nfcmrvl_resume | nfcmrvl_submit_bulk_urb | nfcmrvl_bulk_complete | nfcmrvl_nci_recv_frame | nfcmrvl_fw_dnld_recv_frame | skb_queue_tail nfcmrvl_disconnect | nfcmrvl_nci_unregister_dev | nfcmrvl_fw_dnld_deinit | ... destroy_workqueue //(1) | ... | queue_work //(2) When nfcmrvl usb driver is resuming, we detach the device. The workqueue is destroyed in position (1), but it will be latter used in position (2), which leads to data race. This patch reorders the nfcmrvl_fw_dnld_deinit after nci_unregister_device in order to prevent UAF. Because nci_unregister_device will not return until finish all operations from upper layer. Signed-off-by: Duoming Zhou --- drivers/nfc/nfcmrvl/main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/nfc/nfcmrvl/main.c b/drivers/nfc/nfcmrvl/main.c index 2fcf545012b..5ed17b23ee8 100644 --- a/drivers/nfc/nfcmrvl/main.c +++ b/drivers/nfc/nfcmrvl/main.c @@ -186,12 +186,11 @@ void nfcmrvl_nci_unregister_dev(struct nfcmrvl_private *priv) if (priv->ndev->nfc_dev->fw_download_in_progress) nfcmrvl_fw_dnld_abort(priv); - nfcmrvl_fw_dnld_deinit(priv); - if (gpio_is_valid(priv->config.reset_n_io)) gpio_free(priv->config.reset_n_io); nci_unregister_device(ndev); + nfcmrvl_fw_dnld_deinit(priv); nci_free_device(ndev); kfree(priv); } -- 2.17.1