Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Message-ID: <3daec73abc2f21809a8057b6a9729a70d2877231.camel@redhat.com>
Subject: Re: [PATCH V2] drivers: nfc: nfcmrvl: fix double free bug in
 nfcmrvl_nci_unregister_dev()
From:   Paolo Abeni <pabeni@redhat.com>
To:     Duoming Zhou <duoming@zju.edu.cn>, krzk@kernel.org,
        linux-kernel@vger.kernel.org
Cc:     netdev@vger.kernel.org, akpm@linux-foundation.org,
        davem@davemloft.net, gregkh@linuxfoundation.org,
        alexander.deucher@amd.com, broonie@kernel.org
Date:   Tue, 12 Apr 2022 09:28:13 +0200
In-Reply-To: <20220410135214.74216-1-duoming@zju.edu.cn>
References: <20220410135214.74216-1-duoming@zju.edu.cn>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.4 (3.42.4-2.fc35) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: bulk

Hello,

On Sun, 2022-04-10 at 21:52 +0800, Duoming Zhou wrote:
> There is a potential double bug in nfcmrvl usb driver between
> unregister and resume operation.
> 
> The race that cause that double free bug can be shown as below:
> 
>    (FREE)                   |      (USE)
>                             | nfcmrvl_resume
>                             |  nfcmrvl_submit_bulk_urb
>                             |   nfcmrvl_bulk_complete
>                             |    nfcmrvl_nci_recv_frame
>                             |     nfcmrvl_fw_dnld_recv_frame
>                             |      queue_work
>                             |       fw_dnld_rx_work
>                             |        fw_dnld_over
>                             |         release_firmware
>                             |          kfree(fw); //(1)
> nfcmrvl_disconnect          |
>  nfcmrvl_nci_unregister_dev |
>   nfcmrvl_fw_dnld_abort     |
>    fw_dnld_over             |         ...
>     if (priv->fw_dnld.fw)   |
>     release_firmware        |
>      kfree(fw); //(2)       |
>      ...                    |         priv->fw_dnld.fw = NULL;
> 
> When nfcmrvl usb driver is resuming, we detach the device.
> The release_firmware() will deallocate firmware in position (1),
> but firmware will be deallocated again in position (2), which
> leads to double free.
> 
> This patch reorders nfcmrvl_fw_dnld_deinit() before nfcmrvl_fw_dnld_abort()
> in order to prevent double free bug. Because destroy_workqueue() will
> not return until all work items are finished. The priv->fw_dnld.fw will
> be set to NULL after work items are finished and fw_dnld_over() called by
> nfcmrvl_nci_unregister_dev() will check whether priv->fw_dnld.fw is NULL.
> So the double free bug could be prevented.
> 
> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>

This looks like a -net candidates, could you please add a suitable
fixes tag?

Thanks!

Paolo