Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp729701iob; Wed, 4 May 2022 06:56:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyVTi6hEh/DtphpgXJhAk9S2OA1yd91OZHLmax88WT5QryNw2g2ZXn9dkCLgELU6NdzsOg4 X-Received: by 2002:a17:907:6294:b0:6e1:ea4:74a3 with SMTP id nd20-20020a170907629400b006e10ea474a3mr20002197ejc.168.1651672608629; Wed, 04 May 2022 06:56:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651672608; cv=none; d=google.com; s=arc-20160816; b=XZ8p9lMjUFBbuUb/byUA6WUDmEI3SaA/GxhhQiViGydr9T3Xeeg0vAm/rNdAS/S+sc RmUx/pRy7LaMwQEeU/w7QzqMLAFmQhpueOvo6zmcNzTRvSSnegnubjsqNqqvZx2ZUGKe rQm6Lg8hC/PBM/eiWIMJEOjublYKib+Jn+HIUh5pUnfcBHhrqS8hK6NfGR0gNBJOWo4A ++Z6NPX3A0CHfxy0qqSGFe/kzYo5YNv2PEI4cpQSVwZd5xy+J5XReQx2GnF85zcE+LyD EHNAL8t+ew/3OXw05Xvpwj9T0XTQoII9OI7q+PjNFhASVryYo6uw2r3s3bcoJwtkDRid GWtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=XiGtsn5suJGp364Ut5ARLksbX95MjHeSBk/Ld3aNPvM=; b=Q4gjKSUShvAKG1fEj8dJbCq6zbtFw/JuYWWXNa3G7lGQoq451aCWjwMa+T386KbJX0 HZSYqX7vt90sN3+DrVJo0ZcPcLQYfmRUVHKgwVeecCGWAqsIvf4cT6SUSGnYkfMtM84P ivFaJWCz31+1VlRQK7LiBftG3gmgPblOJvbCJqezmIy2EGF2TjMYpxKFlTYwsUQqXndz DPLUHv0rhL4fe434nXySL0ov+hBo2jPFGizn6YKtNlflIvVf18QLAmBAUS30IJbAK0ZF 7Ne/gz6L0hoixvk/ZzvklksW2+v5ItgRyeI+I5wfJBdpg/0EpPwqotbBjwTCS8kEHR9f 120A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=tgffE7DI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u27-20020a50951b000000b00425b4f69f0asi13592951eda.101.2022.05.04.06.56.24; Wed, 04 May 2022 06:56:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=tgffE7DI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344957AbiEDGgB (ORCPT + 99 others); Wed, 4 May 2022 02:36:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60308 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344930AbiEDGfx (ORCPT ); Wed, 4 May 2022 02:35:53 -0400 Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 210AE26D5 for ; Tue, 3 May 2022 23:32:18 -0700 (PDT) Received: by mail-ej1-x634.google.com with SMTP id l7so1020747ejn.2 for ; Tue, 03 May 2022 23:32:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=XiGtsn5suJGp364Ut5ARLksbX95MjHeSBk/Ld3aNPvM=; b=tgffE7DIQMbb0Lm82+pVSeeJDjnRZQiPHkxCmhzxOR+i93hkbALu7B+mBcaM7FNY9+ 5jZYsxbrbSy1LY11HB98ZCkTjxjiHIKIvrTgeZWBs85xODTMNuIMbxradK8zOU7wX6+u MKxdFM/vQ1A4iqRYdDNKB4rKPP16P1mB4SuaCEF2+JipWRTgVRQ6QmATVgIEI2z7X8Xh uwIGbI5/3srkJ3g8t3b3OdDDKHBJBpDQhwTMqgRlffs0Vj6WXuV4L0rTC69t38YlnMZN e17xn4B/858ebq5OX4XduQbGMSr095tRzNxKbOMkEt/6eFqxDl88dG8xnnyoSgHgP+eF vFXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=XiGtsn5suJGp364Ut5ARLksbX95MjHeSBk/Ld3aNPvM=; b=EgL4LpsbL7gxrxLBzQnDJ+YsfeRBGtCv9FeHSN71NHa3m6TfWC9i1G1977je/urQP/ meLbYkqMFSSsVMqmXg3BMQJ1CluFnqKaAYKSsyqKExGJQsCGxkWGAzjPmiAemOkZk6cd WIt+6qBAB/5g2YsdpyEAmDjJftY3++T3fYXyvZlXpQldM93fGlTbkjB7eNG1oOXKcmT7 92TWcvZyyYzuqFbngxusxv81XYnUArMq0Iz7da2yqhk1e+iMWPanxkYS6D4mIc5/Ngm9 O/Gr14YdRhf+MaW8+cmFDOHhVRlIbe0E8KxrKdD4LV1Wi2vVCd+Aqb8AQYI60SPUv6dt BDuw== X-Gm-Message-State: AOAM532yU1ilkHqmyk2tuL4msxCz4DFJd7IPei1B/38Ifx1ujeyrWJrK x52OOA+Tn5i0qYqjoyFjhyp0Qg== X-Received: by 2002:a17:907:3e94:b0:6f4:64ad:1e2 with SMTP id hs20-20020a1709073e9400b006f464ad01e2mr10149463ejc.464.1651645936611; Tue, 03 May 2022 23:32:16 -0700 (PDT) Received: from [192.168.0.207] (xdsl-188-155-176-92.adslplus.ch. [188.155.176.92]) by smtp.gmail.com with ESMTPSA id h20-20020a1709070b1400b006f3ef214db8sm5270851ejl.30.2022.05.03.23.32.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 03 May 2022 23:32:16 -0700 (PDT) Message-ID: <6aeef03a-eabb-e6d8-c100-9a74f3506f79@linaro.org> Date: Wed, 4 May 2022 08:32:15 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH net v5 2/2] nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs Content-Language: en-US To: duoming@zju.edu.cn Cc: linux-kernel@vger.kernel.org, kuba@kernel.org, gregkh@linuxfoundation.org, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, alexander.deucher@amd.com, akpm@linux-foundation.org, broonie@kernel.org, netdev@vger.kernel.org, linma@zju.edu.cn References: <8656d527-94ab-228f-66f1-06e5d533e16a@linaro.org> <73fe1723.69fe.1807498ab4d.Coremail.duoming@zju.edu.cn> <405e3948-7fb2-01de-4c01-29775a21218c@linaro.org> <614ae365.b499.18083a8bb17.Coremail.duoming@zju.edu.cn> From: Krzysztof Kozlowski In-Reply-To: <614ae365.b499.18083a8bb17.Coremail.duoming@zju.edu.cn> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/05/2022 09:25, duoming@zju.edu.cn wrote: > > > >> -----原始邮件----- >> 发件人: "Krzysztof Kozlowski" >> 发送时间: 2022-05-02 14:34:07 (星期一) >> 收件人: duoming@zju.edu.cn >> 抄送: linux-kernel@vger.kernel.org, kuba@kernel.org, gregkh@linuxfoundation.org, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, alexander.deucher@amd.com, akpm@linux-foundation.org, broonie@kernel.org, netdev@vger.kernel.org, linma@zju.edu.cn >> 主题: Re: [PATCH net v5 2/2] nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs >> >> On 29/04/2022 11:13, duoming@zju.edu.cn wrote: >>> Hello, >>> >>> On Fri, 29 Apr 2022 09:27:48 +0200 Krzysztof wrote: >>> >>>>> There are destructive operations such as nfcmrvl_fw_dnld_abort and >>>>> gpio_free in nfcmrvl_nci_unregister_dev. The resources such as firmware, >>>>> gpio and so on could be destructed while the upper layer functions such as >>>>> nfcmrvl_fw_dnld_start and nfcmrvl_nci_recv_frame is executing, which leads >>>>> to double-free, use-after-free and null-ptr-deref bugs. >>>>> >>>>> There are three situations that could lead to double-free bugs. >>>>> >>>>> The first situation is shown below: >>>>> >>>>> (Thread 1) | (Thread 2) >>>>> nfcmrvl_fw_dnld_start | >>>>> ... | nfcmrvl_nci_unregister_dev >>>>> release_firmware() | nfcmrvl_fw_dnld_abort >>>>> kfree(fw) //(1) | fw_dnld_over >>>>> | release_firmware >>>>> ... | kfree(fw) //(2) >>>>> | ... >>>>> >>>>> The second situation is shown below: >>>>> >>>>> (Thread 1) | (Thread 2) >>>>> nfcmrvl_fw_dnld_start | >>>>> ... | >>>>> mod_timer | >>>>> (wait a time) | >>>>> fw_dnld_timeout | nfcmrvl_nci_unregister_dev >>>>> fw_dnld_over | nfcmrvl_fw_dnld_abort >>>>> release_firmware | fw_dnld_over >>>>> kfree(fw) //(1) | release_firmware >>>>> ... | kfree(fw) //(2) >>>> >>>> How exactly the case here is being prevented? >>>> >>>> If nfcmrvl_nci_unregister_dev() happens slightly earlier, before >>>> fw_dnld_timeout() on the left side (T1), the T1 will still hit it, won't it? >>> >>> I think it could be prevented. We use nci_unregister_device() to synchronize, if the >>> firmware download routine is running, the cleanup routine will wait it to finish. >>> The flag "fw_download_in_progress" will be set to false, if the the firmware download >>> routine is finished. >> >> fw_download_in_progress is not synchronized in >> nfcmrvl_nci_unregister_dev(), so even if fw_dnld_timeout() set it to >> true, the nfcmrvl_nci_unregister_dev() happening concurrently will not >> see updated fw_download_in_progress. > > The fw_download_in_progress is set to false in nfc_fw_download(). The nfc_fw_download() is > synchronized with nfc_unregister_device(). No, it is not. There is no synchronization primitive in nfc_unregister_device(), at least explicitly. > If nfc_fw_download() is running, nfc_unregister_device() > will wait nfc_fw_download() to finish. So the nfcmrvl_nci_unregister_dev() could see the updated > fw_download_in_progress. The process is shown below: > > (Thread 1) | (Thread 2) > nfcmrvl_nci_unregister_dev | nfc_fw_download > nci_unregister_device | ... > | device_lock() > ... | dev->fw_download_in_progress = false; //(1) > | device_unlock() > nfc_unregister_device | > if (priv->ndev->nfc_dev->fw_download_in_progress) //(2) | > nfcmrvl_fw_dnld_abort(priv); //not execute | > > We set fw_download_in_progress to false in position (1) and the check in position (2) will fail, > the nfcmrvl_fw_dnld_abort() in nfcmrvl_nci_unregister_dev() will not execute. So the double-free > bugs could be prevented. You just repeated the same not answering the question. The fw_download_in_progress at point (2) can be still true, on that CPU. I explain it third time so let me rephrase it - the fw_download_in_progress can be reordered by compiler or CPU to: T1 | T2 nfcmrvl_nci_unregister_dev() nci_unregister_device() var = fw_download_in_progress; (true) | nfc_fw_download | device_lock | dev->fw_download = false; | device_unlock if (var) | nfcmrvl_fw_dnld_abort(priv); | Every write barrier must be paired with read barrier. Every lock on one access to variable, must be paired with same lock on other access to variable . > >>> Although the timer handler fw_dnld_timeout() could be running, nfcmrvl_nci_unregister_dev() >>> will check the flag "fw_download_in_progress" which is already set to false and nfcmrvl_fw_dnld_abort() >>> in nfcmrvl_nci_unregister_dev() will not execute. >> >> I am sorry, but you cannot move code around hoping it will by itself >> solve synchronization issues. > > I think this solution sove synchronization issues. If you still have any questions welcome to ask me. No, you still do not get the pint. You cannot move code around because this itself does not solve missing synchronization primitives and related issues. Best regards, Krzysztof