Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp3845436ioa; Tue, 26 Apr 2022 10:50:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLZBd4AEl3ld7Htbk/zB03o5URrJPd08jYjwl+VgcP0n6WQwK9f1TxMVYRB9niJh9ZAa5H X-Received: by 2002:a17:907:1b10:b0:6e4:bac5:f080 with SMTP id mp16-20020a1709071b1000b006e4bac5f080mr22820633ejc.24.1650995408284; Tue, 26 Apr 2022 10:50:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650995408; cv=none; d=google.com; s=arc-20160816; b=y/m+gQazeXjswb4Tjy8DebukF67WgJpWoNRVByaSIrF+hAy1i3JmFFm98CTuFhstpc vKmzFhNH9IYA/qfKbcH1rB4nEcqNc2XFbL2rUMg6DVkN3OsqcFd3LEfWjBnSuvFL9M/a GoHByMlZQzK3Z2uBAY26uUMsRhtUhqr1JyHDrZEfTUA2sxCtB1S7BwfXhprsdD6TlRd2 rF7L5gXfmuwY87zXoIGeo7xyHOHLwsqfrrWmM+03A/gDVHJe+YiGJfkX3xCUSpy68uBS hq4J8gdt8fJ68S/OWqIf4Su81SYQ2yawpMPe+csuGcmmATHZ1V+DORbXTuH4ZC8ZpfoM culg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=04oBpXRz9dQvTo95R2G0BWiNbQsIPh3agUFG6K2tgYI=; b=amX2Li8fZb1b/qGkOzvWf4Akj/yskjOrogsVpAVbKoPtztTIiRFmuDF4NdwVojaaBx lpCfTfBM0xITocVxLIpJ9gIL9a7Xtmv7UuIpocLlmPk1hosD0W/KITrZpW4yUVZq8BdL iylsw6kjimYi2HlQ/p+pYFE52HZXIaHJRItovtoB/M2PJFjbzTggNCTlvc0DZmklcFJd 3E1GCmC0bohlrXdt78KYUpng0ZsYGZQhNvJWhcRPf6TCU/mfZpRQ0bIDSD8RrrpsjzOn PfSq0HzoaGoHjUiavrd7peHmkyD4LYd2HHR+WpDKeCmte7b9KdKAECKm/2VjGRZbWgGj dSKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Wuw6fMd+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h12-20020a50cdcc000000b00425c55eb110si9204301edj.245.2022.04.26.10.49.43; Tue, 26 Apr 2022 10:50:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Wuw6fMd+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349497AbiDZLUf (ORCPT + 99 others); Tue, 26 Apr 2022 07:20:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44810 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245427AbiDZLUe (ORCPT ); Tue, 26 Apr 2022 07:20:34 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6D92E3A189 for ; Tue, 26 Apr 2022 04:17:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1650971845; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=04oBpXRz9dQvTo95R2G0BWiNbQsIPh3agUFG6K2tgYI=; b=Wuw6fMd+ajnW8gK3q3V3jwlwZ+omDQEMkSqtIyfTOdAC57ku8I1ft4CmLC8yHCaMp9x1uU dBldBXt6y5eDfcKZLeIP+2GkMaQxzSKkxOy8BBvuZrPV6xjYIDJ8renoQWR7yNUDPk2wdA DcPc8NBZXY1MmJ7kced4jCj3NHUZXFs= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-568-lL3G3PC_PtubcUETPxNIMg-1; Tue, 26 Apr 2022 07:17:24 -0400 X-MC-Unique: lL3G3PC_PtubcUETPxNIMg-1 Received: by mail-wm1-f71.google.com with SMTP id p31-20020a05600c1d9f00b0038ed0964a90so707493wms.4 for ; Tue, 26 Apr 2022 04:17:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=04oBpXRz9dQvTo95R2G0BWiNbQsIPh3agUFG6K2tgYI=; b=NBgDDcKDkwSPRKFGmTcUp9EaxhXGVIqv7RaEjDRisswTEjcYu5mWFW2GKvLS/y+4EU icL3lQoa86HftUgdca+u49hPZJFV+0vacf+IZwlSVAlXg4x7CL51Drfl/VCCqBJJSy9N Zk+QQyqHGGRaXDPtNhRWh/GEVVlilZ6X1rN+rXVqiXF0RukbuzCrbslMsRUzd4eLY1nB qBUnhTL2tITckhDsy/KooeJlwXhRh0wHD3N6EsLIEOeNoAnPPdHqILxSdb4CU6wXPPaR vNcp/02VudkosZpxFPEU+i/53W6PvGV0vjCrDmnFUDjFcXpyeDY2Vg0AL5HUkIJNojnZ VZVA== X-Gm-Message-State: AOAM532O5Y07KEFm4EE2N4ZYDNQJM1sYBqJkUwmKxv2QNiLNkpGebjgB I9aGAHfElQNyI+EnC5ul4nN17CvEZ7vD+KT/To3jL8Iv/KI6dpsrfoyYZtDaruzBlAw+k+upWB2 w7/85eiY3X1bJaS04FKOPqtob X-Received: by 2002:adf:e2cc:0:b0:203:e8ba:c709 with SMTP id d12-20020adfe2cc000000b00203e8bac709mr17958609wrj.713.1650971842743; Tue, 26 Apr 2022 04:17:22 -0700 (PDT) X-Received: by 2002:adf:e2cc:0:b0:203:e8ba:c709 with SMTP id d12-20020adfe2cc000000b00203e8bac709mr17958586wrj.713.1650971842460; Tue, 26 Apr 2022 04:17:22 -0700 (PDT) Received: from gerbillo.redhat.com (146-241-117-160.dyn.eolo.it. [146.241.117.160]) by smtp.gmail.com with ESMTPSA id h10-20020a05600c414a00b0038ebb6884d8sm12422473wmm.0.2022.04.26.04.17.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Apr 2022 04:17:22 -0700 (PDT) Message-ID: <57eae113432e286b7e279102220c21fcf0bd1306.camel@redhat.com> Subject: Re: [PATCH net V2] nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs From: Paolo Abeni To: Duoming Zhou , krzysztof.kozlowski@linaro.org, linux-kernel@vger.kernel.org Cc: davem@davemloft.net, gregkh@linuxfoundation.org, alexander.deucher@amd.com, broonie@kernel.org, akpm@linux-foundation.org, netdev@vger.kernel.org, linma@zju.edu.cn Date: Tue, 26 Apr 2022 13:17:21 +0200 In-Reply-To: <20220425095838.100882-1-duoming@zju.edu.cn> References: <20220425095838.100882-1-duoming@zju.edu.cn> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 (3.42.4-2.fc35) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2022-04-25 at 17:58 +0800, Duoming Zhou wrote: > There are destructive operations such as nfcmrvl_fw_dnld_abort and > gpio_free in nfcmrvl_nci_unregister_dev. The resources such as firmware, > gpio and so on could be destructed while the upper layer functions such as > nfcmrvl_fw_dnld_start and nfcmrvl_nci_recv_frame is executing, which leads > to double-free, use-after-free and null-ptr-deref bugs. > > There are three situations that could lead to double-free bugs. > > The first situation is shown below: > > (Thread 1) | (Thread 2) > nfcmrvl_fw_dnld_start | > ... | nfcmrvl_nci_unregister_dev > release_firmware() | nfcmrvl_fw_dnld_abort > kfree(fw) //(1) | fw_dnld_over > | release_firmware > ... | kfree(fw) //(2) > | ... > > The second situation is shown below: > > (Thread 1) | (Thread 2) > nfcmrvl_fw_dnld_start | > ... | > mod_timer | > (wait a time) | > fw_dnld_timeout | nfcmrvl_nci_unregister_dev > fw_dnld_over | nfcmrvl_fw_dnld_abort > release_firmware | fw_dnld_over > kfree(fw) //(1) | release_firmware > ... | kfree(fw) //(2) > > The third situation is shown below: > > (Thread 1) | (Thread 2) > nfcmrvl_nci_recv_frame | > if(..->fw_download_in_progress)| > nfcmrvl_fw_dnld_recv_frame | > queue_work | > | > fw_dnld_rx_work | nfcmrvl_nci_unregister_dev > fw_dnld_over | nfcmrvl_fw_dnld_abort > release_firmware | fw_dnld_over > kfree(fw) //(1) | release_firmware > | kfree(fw) //(2) > > The firmware struct is deallocated in position (1) and deallocated > in position (2) again. > > The crash trace triggered by POC is like below: > > [ 122.640457] BUG: KASAN: double-free or invalid-free in fw_dnld_over+0x28/0xf0 > [ 122.640457] Call Trace: > [ 122.640457] > [ 122.640457] kfree+0xb0/0x330 > [ 122.640457] fw_dnld_over+0x28/0xf0 > [ 122.640457] nfcmrvl_nci_unregister_dev+0x61/0x70 > [ 122.640457] nci_uart_tty_close+0x87/0xd0 > [ 122.640457] tty_ldisc_kill+0x3e/0x80 > [ 122.640457] tty_ldisc_hangup+0x1b2/0x2c0 > [ 122.640457] __tty_hangup.part.0+0x316/0x520 > [ 122.640457] tty_release+0x200/0x670 > [ 122.640457] __fput+0x110/0x410 > [ 122.640457] task_work_run+0x86/0xd0 > [ 122.640457] exit_to_user_mode_prepare+0x1aa/0x1b0 > [ 122.640457] syscall_exit_to_user_mode+0x19/0x50 > [ 122.640457] do_syscall_64+0x48/0x90 > [ 122.640457] entry_SYSCALL_64_after_hwframe+0x44/0xae > [ 122.640457] RIP: 0033:0x7f68433f6beb > > What's more, there are also use-after-free and null-ptr-deref bugs > in nfcmrvl_fw_dnld_start. If we deallocate firmware struct, gpio or > set null to the members of priv->fw_dnld in nfcmrvl_nci_unregister_dev, > then, we dereference firmware, gpio or the members of priv->fw_dnld in > nfcmrvl_fw_dnld_start, the UAF or NPD bugs will happen. > > This patch reorders destructive operations after nci_unregister_device > to avoid the double-free, UAF and NPD bugs, as nci_unregister_device > is well synchronized and won't return if there is a running routine. > This was mentioned in commit 3e3b5dfcd16a ("NFC: reorder the logic in > nfc_{un,}register_device"). It looks like the above is not enough to close all the possible races, specifically it looks like fw_dnld_timeout() and fw_dnld_rx_work() may still race one vs another. I *think* that the approach you already suggested here: https://lore.kernel.org/netdev/1d34425a0ea8a553a66dcf4f22ca55cc920dbb42.1649913521.git.duoming@zju.edu.cn/ should be safer - but you have to protect with the same spinlock even every fw_dnld->fw modification. @Lin Ma: I see you don't like the spinlock solution, but this other option looks racing. Do you have other suggestions? (and/or would you reconsider the spinlock?) Thanks! Paolo