]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commitdiff
nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
authorDuoming Zhou <duoming@zju.edu.cn>
Thu, 18 Aug 2022 09:06:21 +0000 (17:06 +0800)
committerDavid S. Miller <davem@davemloft.net>
Mon, 22 Aug 2022 13:51:30 +0000 (14:51 +0100)
When the pn532 uart device is detaching, the pn532_uart_remove()
is called. But there are no functions in pn532_uart_remove() that
could delete the cmd_timeout timer, which will cause use-after-free
bugs. The process is shown below:

    (thread 1)                  |        (thread 2)
                                |  pn532_uart_send_frame
pn532_uart_remove               |    mod_timer(&pn532->cmd_timeout,...)
  ...                           |    (wait a time)
  kfree(pn532) //FREE           |    pn532_cmd_timeout
                                |      pn532_uart_send_frame
                                |        pn532->... //USE

This patch adds del_timer_sync() in pn532_uart_remove() in order to
prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc()
is well synchronized, it sets nfc_dev->shutting_down to true and there
are no syscalls could restart the cmd_timeout timer.

Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/nfc/pn533/uart.c

index 2caf997f9bc94a2456b1d70c4847f8c4320ee435..07596bf5f7d6d6adda6481bb2e58824c056ce82e 100644 (file)
@@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev)
        pn53x_unregister_nfc(pn532->priv);
        serdev_device_close(serdev);
        pn53x_common_clean(pn532->priv);
+       del_timer_sync(&pn532->cmd_timeout);
        kfree_skb(pn532->recv_skb);
        kfree(pn532);
 }