Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp186302iob; Mon, 2 May 2022 16:36:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwA7NqHz/aUQMLr7l9u/wI9qkErmb5AKQAFUJNl4DxjTCDJRkLwlMHamjwjUtvUvdeltEJw X-Received: by 2002:a17:902:a5c4:b0:15d:4ca:90cf with SMTP id t4-20020a170902a5c400b0015d04ca90cfmr13940120plq.133.1651534603849; Mon, 02 May 2022 16:36:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651534603; cv=none; d=google.com; s=arc-20160816; b=wOqQ5TYFK7gb+Kad8iIJgLPOEqFg+I4SCpZkFl83gJR3hHOaEn6LbQHzemvsaOJwTL Guk7EztnkzofvjMgtaG2WBUdop3TKBQFyefG8bBFdyFL82RHgA+q7i3yTAkzaYx8Rqwx XRYE7/StAiNwtx0jEzPviyuwjenJ4BSIoN6OU6yuQFkBV+GcBg4T18hsK4lCK6BaYsu+ SXOkUXDM6ornOciRaKPQ3qWI0s1Hn5SsSYYC55QTmr7BPux1W/7kkXK3jQOfL1x3zlBD 2d+Y+01o7wj3g0oAIlzRJnM0nSK7jeEf6BmtB0rd2g9mcDUgFjtQzaTn42o/pv9yJj3x ZytQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=ZkYcyb2ACFjey9zLn1zohQQeCKLJQivrZnOFkcxwXlM=; b=EXbt6Ur0ASAupgTNOkLVNNkbnbfvN2GUJYpfw6CGp9U8ExkoXlX/rrMJy12lETLtai 8zO4P/W6QoBEvQJfhxtg12xZbi3dzy6rNSYY1F8QkyT1VRMFzOSzTRSxKqRWBtFLuxHx g99YTQk2y+xse0lY+9/Ilff53dwKj712jaVlIx4wmTwMVC9qovC6Wd4mPYb29aflkUyI ZG1KQAzRnwbKLcHqM0xkkB1pUv+l9MO90jtT/Yi3N0SIbYkdEAsEOstiRPmKmuti4ndJ clwkNLI/TNPtbApho03LNTVL3D6sfzjw63ZVdFbTFpT0aqxdFMZy0zseeWc4yq1fUr9I xXPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=c9o10kuS; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id x207-20020a6331d8000000b003ab1fc361a7si14960672pgx.807.2022.05.02.16.36.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 May 2022 16:36:43 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=c9o10kuS; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 280BA20BFD; Mon, 2 May 2022 16:36:37 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242602AbiEBGhj (ORCPT + 99 others); Mon, 2 May 2022 02:37:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351045AbiEBGhh (ORCPT ); Mon, 2 May 2022 02:37:37 -0400 Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2089327B15 for ; Sun, 1 May 2022 23:34:10 -0700 (PDT) Received: by mail-ed1-x532.google.com with SMTP id z19so15498569edx.9 for ; Sun, 01 May 2022 23:34:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=ZkYcyb2ACFjey9zLn1zohQQeCKLJQivrZnOFkcxwXlM=; b=c9o10kuSwfeywvkoJ+vqV7vjhEN32IuV5UU0hbtcWv5FcN2FU7/VcOt0Iy5kB25otc QhOctcvm0gL/RYg6wXe8o46cHbT8X4o9W82lwv4DAWx/Ld/L9nz+R+edPXmVEFV6ZqwL Wf4gtaJ/OF0l+YZqOjltNM856ZIjCr6I4wbJ9mVdE1UwUgvxie4djX5PZNw45/228+dn qaGx7OOyWOgZB59RNK/eMz8XHbHm15HY/YkBE0U3sO8sH1b4DcPRIptfg0TsoZt5jCzG GAzvljVxg7xlSAHDKU9im/eW9IL/Jxi7xao5itGNVyBhoImYrkVjgq+NxUfLgxUWrwEN ULKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=ZkYcyb2ACFjey9zLn1zohQQeCKLJQivrZnOFkcxwXlM=; b=H4+98k9uFhJUtWWYKutYxRuCW9c88kP6uGzEYutcmodet/dW0UgTmWRvF4XFfVLLI2 ZfJju/yLAeh1A+BLK9sCh2B9jZ43fhlNV1pWjBYEW/Si4JKCwRdFVLTQFbfacG4+YH5A nyBrpgOrzWxm6ZbL0kij8qpahQg9OJtI+fNQNWqylUbjznuwCAbwsnTPPOJgklN4QoSu OyCuLHRASMnL+XV78vgAMVfIjiRY08TfPx4Cx+alTNeC7D+ouW6dUwpFKA3UzIlbGmWk j849apUVAUHlRZ2porFpX19o2ZZCNIKkv7bGdWhPX9mZRmjUmkrA7kpcxsKReAXM0r1J sbFg== X-Gm-Message-State: AOAM530qfvBEBQXl5TkBqgrzGLLsg+uVDSp7ovW++nyQQLQSTGMjkesh YmPF0mGVPZ3wwHhJ0Gxisw+tQA== X-Received: by 2002:a05:6402:298b:b0:41d:675f:8b44 with SMTP id eq11-20020a056402298b00b0041d675f8b44mr11874109edb.377.1651473248366; Sun, 01 May 2022 23:34:08 -0700 (PDT) Received: from [192.168.0.187] (xdsl-188-155-176-92.adslplus.ch. [188.155.176.92]) by smtp.gmail.com with ESMTPSA id e19-20020a056402105300b0042617ba6384sm6260342edu.14.2022.05.01.23.34.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 01 May 2022 23:34:07 -0700 (PDT) Message-ID: <405e3948-7fb2-01de-4c01-29775a21218c@linaro.org> Date: Mon, 2 May 2022 08:34:07 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH net v5 2/2] nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs Content-Language: en-US To: duoming@zju.edu.cn Cc: linux-kernel@vger.kernel.org, kuba@kernel.org, gregkh@linuxfoundation.org, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, alexander.deucher@amd.com, akpm@linux-foundation.org, broonie@kernel.org, netdev@vger.kernel.org, linma@zju.edu.cn References: <8656d527-94ab-228f-66f1-06e5d533e16a@linaro.org> <73fe1723.69fe.1807498ab4d.Coremail.duoming@zju.edu.cn> From: Krzysztof Kozlowski In-Reply-To: <73fe1723.69fe.1807498ab4d.Coremail.duoming@zju.edu.cn> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29/04/2022 11:13, duoming@zju.edu.cn wrote: > Hello, > > On Fri, 29 Apr 2022 09:27:48 +0200 Krzysztof wrote: > >>> There are destructive operations such as nfcmrvl_fw_dnld_abort and >>> gpio_free in nfcmrvl_nci_unregister_dev. The resources such as firmware, >>> gpio and so on could be destructed while the upper layer functions such as >>> nfcmrvl_fw_dnld_start and nfcmrvl_nci_recv_frame is executing, which leads >>> to double-free, use-after-free and null-ptr-deref bugs. >>> >>> There are three situations that could lead to double-free bugs. >>> >>> The first situation is shown below: >>> >>> (Thread 1) | (Thread 2) >>> nfcmrvl_fw_dnld_start | >>> ... | nfcmrvl_nci_unregister_dev >>> release_firmware() | nfcmrvl_fw_dnld_abort >>> kfree(fw) //(1) | fw_dnld_over >>> | release_firmware >>> ... | kfree(fw) //(2) >>> | ... >>> >>> The second situation is shown below: >>> >>> (Thread 1) | (Thread 2) >>> nfcmrvl_fw_dnld_start | >>> ... | >>> mod_timer | >>> (wait a time) | >>> fw_dnld_timeout | nfcmrvl_nci_unregister_dev >>> fw_dnld_over | nfcmrvl_fw_dnld_abort >>> release_firmware | fw_dnld_over >>> kfree(fw) //(1) | release_firmware >>> ... | kfree(fw) //(2) >> >> How exactly the case here is being prevented? >> >> If nfcmrvl_nci_unregister_dev() happens slightly earlier, before >> fw_dnld_timeout() on the left side (T1), the T1 will still hit it, won't it? > > I think it could be prevented. We use nci_unregister_device() to synchronize, if the > firmware download routine is running, the cleanup routine will wait it to finish. > The flag "fw_download_in_progress" will be set to false, if the the firmware download > routine is finished. fw_download_in_progress is not synchronized in nfcmrvl_nci_unregister_dev(), so even if fw_dnld_timeout() set it to true, the nfcmrvl_nci_unregister_dev() happening concurrently will not see updated fw_download_in_progress. > > Although the timer handler fw_dnld_timeout() could be running, nfcmrvl_nci_unregister_dev() > will check the flag "fw_download_in_progress" which is already set to false and nfcmrvl_fw_dnld_abort() > in nfcmrvl_nci_unregister_dev() will not execute. I am sorry, but you cannot move code around hoping it will by itself solve synchronization issues. Best regards, Krzysztof