[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220409135854.33333-1-duoming@zju.edu.cn>
Date: Sat, 9 Apr 2022 21:58:54 +0800
From: Duoming Zhou <duoming@....edu.cn>
To: linux-kernel@...r.kernel.org
Cc: netdev@...r.kernel.org, alexander.deucher@....com,
gregkh@...uxfoundation.org, davem@...emloft.net, krzk@...nel.org,
Duoming Zhou <duoming@....edu.cn>
Subject: [PATCH] drivers: nfc: nfcmrvl: fix UAF bug in nfcmrvl_nci_unregister_dev()
There is a potential UAF bug in nfcmrvl usb driver between
unregister and resume operation.
The race that cause that UAF can be shown as below:
(FREE) | (USE)
| nfcmrvl_resume
| nfcmrvl_submit_bulk_urb
| nfcmrvl_bulk_complete
| nfcmrvl_nci_recv_frame
| nfcmrvl_fw_dnld_recv_frame
| skb_queue_tail
nfcmrvl_disconnect |
nfcmrvl_nci_unregister_dev |
nfcmrvl_fw_dnld_deinit | ...
destroy_workqueue //(1) |
... | queue_work //(2)
When nfcmrvl usb driver is resuming, we detach the device.
The workqueue is destroyed in position (1), but it will be
latter used in position (2), which leads to data race.
This patch reorders the nfcmrvl_fw_dnld_deinit after
nci_unregister_device in order to prevent UAF. Because
nci_unregister_device will not return until finish all
operations from upper layer.
Signed-off-by: Duoming Zhou <duoming@....edu.cn>
---
drivers/nfc/nfcmrvl/main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/nfc/nfcmrvl/main.c b/drivers/nfc/nfcmrvl/main.c
index 2fcf545012b..5ed17b23ee8 100644
--- a/drivers/nfc/nfcmrvl/main.c
+++ b/drivers/nfc/nfcmrvl/main.c
@@ -186,12 +186,11 @@ void nfcmrvl_nci_unregister_dev(struct nfcmrvl_private *priv)
if (priv->ndev->nfc_dev->fw_download_in_progress)
nfcmrvl_fw_dnld_abort(priv);
- nfcmrvl_fw_dnld_deinit(priv);
-
if (gpio_is_valid(priv->config.reset_n_io))
gpio_free(priv->config.reset_n_io);
nci_unregister_device(ndev);
+ nfcmrvl_fw_dnld_deinit(priv);
nci_free_device(ndev);
kfree(priv);
}
--
2.17.1
Powered by blists - more mailing lists