Received: by 2002:a05:6512:3d0e:0:0:0:0 with SMTP id d14csp6513lfv;
        Tue, 12 Apr 2022 15:02:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzkfQI+WjDYEr78otMWC4F400BFta8je5O9x1PXTuNfalMoxSxGRN2lUlPCKLsIZSEZtXtL
X-Received: by 2002:a4a:bb91:0:b0:321:1c31:ae98 with SMTP id h17-20020a4abb91000000b003211c31ae98mr12346511oop.48.1649800932144;
        Tue, 12 Apr 2022 15:02:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649800932; cv=none;
        d=google.com; s=arc-20160816;
        b=yphl8s/LBM8OnIbusVAs/57VsjBKyyuGvkAG524arrbsc8ENX8JEB27IDA0zH2a7qu
         PcMnZPwZjve/DSS43Ut1OMwXo3AvR8/lYH6jQnfn7De/mJp13mFmTEBZOiZeIVt3FXK4
         hBxk8554+Ki6rfHluetjhImr97JlUsdQUka/AlsMvDKuMIwCVTU07YtHH3CH8bpSDKed
         y1tn9Lj0/SSTLuEzZ3Bk0Vfp92nGJdBlF3UyAbQvXq4v8HX/zU8dhtQ+IbADJFrlXX1k
         o9KtgbKC1hBHluI+DZy3rwRilRinNa4who/BG34FI+2xElDjqriBR/HBv1OhAETvnt/k
         5Hkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=xDEG9DCGNhiyNnwqXi2PmcI0m+dQfDJLPuApPCQyOSk=;
        b=kEDg198F8iEzc4GWwkYkq3td0byhGH7rU1tCu7OsKvDa8t0Ks0pz9PT6uzTA0rvtvc
         WWn19HeRtv9huTA4/jxoFqJrXgz86Nzqw8Nyxm2q4z+7ldUEvVIby/0lFF+Ajb4RZTiz
         lL7Y+Tfd6ttPz+kpCpmBOig2j28uwmvWYws9N+VngIgo/5IsDNkWXjteCRStz3V4djhC
         oLxhzPQMJek+91L/3RiGZ4HszaPW36zC2oK+cNvJmwx0uFFWAOP4UEOOJsE2SCp37JSh
         6VjNRDHrDVFHGj/aLHJQiV1b0TETx8bwNI6FZdm3aYXIcRik/7zi8kFEwJ5nyVldWw3L
         zBwg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=k6bi5Ebh;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id b25-20020a9d6b99000000b005cdcfd0c720si6917422otq.76.2022.04.12.15.02.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 12 Apr 2022 15:02:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=k6bi5Ebh;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 299AE15609B;
	Tue, 12 Apr 2022 13:54:08 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236236AbiDJJTV (ORCPT <rfc822;2014014876lha@gmail.com>
        + 99 others); Sun, 10 Apr 2022 05:19:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53564 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236194AbiDJJTU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 10 Apr 2022 05:19:20 -0400
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2EEC1644F3
        for <linux-kernel@vger.kernel.org>; Sun, 10 Apr 2022 02:17:08 -0700 (PDT)
Received: by mail-ej1-x630.google.com with SMTP id n6so25106365ejc.13
        for <linux-kernel@vger.kernel.org>; Sun, 10 Apr 2022 02:17:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=message-id:date:mime-version:user-agent:subject:content-language:to
         :cc:references:from:in-reply-to:content-transfer-encoding;
        bh=xDEG9DCGNhiyNnwqXi2PmcI0m+dQfDJLPuApPCQyOSk=;
        b=k6bi5EbhhmZe+s2cvNexUNYH6JLZDVNvtWvAK2eJyvWRJdetKPYGrC72ZRJ+54NtuR
         bFuLjaWjoSRYDN/4pKyTxqYz0OEyhPxP7/JV0OshSCSqTkSVnHo+Qo5eMdme/qih53Wn
         wXS8c3i8jkSAWaAuDSp3qJJk+ycFfV+N7DmIjtk0nnlh/kKBUswPGNGSIFCDWNeKO6G7
         5PV3UdcKWTTHH7zYHq2pvWSnR+WVMHSTyl42U2+hVBhJENDUImodcnN+SSqg44oif6BA
         YTLSVh+zQc1EbxRptj1rTQY77uJ3NYVylOBGAg3hj5NbivFLNr8ACTvbFVCir/Gs793r
         h6kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:cc:references:from:in-reply-to
         :content-transfer-encoding;
        bh=xDEG9DCGNhiyNnwqXi2PmcI0m+dQfDJLPuApPCQyOSk=;
        b=0l2Rw6wPVSM3X12NsPpUBOkzX2Hxyo8gZ59et8Cl8d3+WwS8diZ5E+cJ2yxkzdBzm4
         34ImrgDHFEHY5VDzX0zvggZkMbaKvKNfKAJp/VkHm4X6oy4jpz4vzEfiuxAMfKcLDaQB
         f6wIGB5Goh9fhM6M/MHipql/g2Lkuw2lmohhiuhdURMbtLRNYJR6DikqO899Oa/EKLHe
         iblJii/7lpngFX1Z+F3Cj1bFKW9sn5j+DAmEcxgeadhB9KUhJE9VQ5w8YTCCIgi3AXMR
         ye8qmF/UTXrMKUwY1EWNCxAcNcJp9c6J1muq9fiJmVF3g0ySB7eh2FotuTGyEU5ilCh1
         Et4A==
X-Gm-Message-State: AOAM5335Wtd35BkkMyDDkBTvjRvKBqFMT94vEofMb+gshX1gI7TNwdq9
        5cxFypKkVcUecVJ6cnl11MoEvQ==
X-Received: by 2002:a17:907:3ea3:b0:6e6:faf5:b8e with SMTP id hs35-20020a1709073ea300b006e6faf50b8emr26411655ejc.402.1649582227019;
        Sun, 10 Apr 2022 02:17:07 -0700 (PDT)
Received: from [192.168.0.188] (xdsl-188-155-201-27.adslplus.ch. [188.155.201.27])
        by smtp.gmail.com with ESMTPSA id o3-20020aa7dd43000000b00419db53ae65sm13155732edw.7.2022.04.10.02.17.06
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 10 Apr 2022 02:17:06 -0700 (PDT)
Message-ID: <ac86bfc6-b2ca-0e9c-9e3d-2d59c22c5c7f@linaro.org>
Date:   Sun, 10 Apr 2022 11:17:05 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Subject: Re: [PATCH] drivers: nfc: nfcmrvl: fix UAF bug in
 nfcmrvl_nci_unregister_dev()
Content-Language: en-US
To:     duoming@zju.edu.cn
Cc:     linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        alexander.deucher@amd.com, gregkh@linuxfoundation.org,
        davem@davemloft.net
References: <20220409135854.33333-1-duoming@zju.edu.cn>
 <7d3a5a6b-9772-a52a-fd18-2e07a8832e91@linaro.org>
 <37334368.2629.1801298f436.Coremail.duoming@zju.edu.cn>
From:   Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
In-Reply-To: <37334368.2629.1801298f436.Coremail.duoming@zju.edu.cn>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10/04/2022 10:30, duoming@zju.edu.cn wrote:

(...)

> 
>    (FREE)                   |      (USE)
>                             | nfcmrvl_resume
>                             |  nfcmrvl_submit_bulk_urb
>                             |   nfcmrvl_bulk_complete
>                             |    nfcmrvl_nci_recv_frame
>                             |     nfcmrvl_fw_dnld_recv_frame
>                             |      queue_work
>                             |       fw_dnld_rx_work
>                             |        fw_dnld_over
>                             |         release_firmware
>                             |          kfree(fw); //(1)
> nfcmrvl_disconnect          |
>  nfcmrvl_nci_unregister_dev |
>   nfcmrvl_fw_dnld_abort     |
>    fw_dnld_over             |         ...
>     if (priv->fw_dnld.fw)   |
>     release_firmware        |
>      kfree(fw); //(2)       |
>      ...                    |         fw = NULL;
> 
> When nfcmrvl usb driver is resuming, we detach the device.
> The release_firmware() will deallocate firmware in position (1),
> but firmware will be deallocate again in position (2), which
> leads to double free.

Indeed. The code looks racy. It uses the fw_download_in_progress
variable which in core is partially protected with device_lock(). Moving
code around might not solve the issue entirely because there is no
synchronization here.

> 
>>> This patch reorders the nfcmrvl_fw_dnld_deinit after
>>> nci_unregister_device in order to prevent UAF. Because
>>> nci_unregister_device will not return until finish all
>>> operations from upper layer.
>>>
>>> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
>>> ---
>>>  drivers/nfc/nfcmrvl/main.c | 3 +--
>>>  1 file changed, 1 insertion(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/nfc/nfcmrvl/main.c b/drivers/nfc/nfcmrvl/main.c
>>> index 2fcf545012b..5ed17b23ee8 100644
>>> --- a/drivers/nfc/nfcmrvl/main.c
>>> +++ b/drivers/nfc/nfcmrvl/main.c
>>> @@ -186,12 +186,11 @@ void nfcmrvl_nci_unregister_dev(struct nfcmrvl_private *priv)
>>>  	if (priv->ndev->nfc_dev->fw_download_in_progress)
>>>  		nfcmrvl_fw_dnld_abort(priv);
>>>  
>>> -	nfcmrvl_fw_dnld_deinit(priv);
>>> -
>>>  	if (gpio_is_valid(priv->config.reset_n_io))
>>>  		gpio_free(priv->config.reset_n_io);
>>>  
>>>  	nci_unregister_device(ndev);
>>> +	nfcmrvl_fw_dnld_deinit(priv);
>>
>> The new order matches reverse-probe, so actually makes sense.
>>
>>>  	nci_free_device(ndev);
>>>  	kfree(priv);
>>>  }
> 
> I will send "[PATCH] drivers: nfc: nfcmrvl: fix double free bug in
> nfcmrvl_nci_unregister_dev()" as soon as possible.

Thanks!


Best regards,
Krzysztof