diff options
author | Duoming Zhou <duoming@zju.edu.cn> | 2022-08-18 17:06:21 +0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2022-08-22 14:51:30 +0100 |
commit | f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6 (patch) | |
tree | 347a36b38df094a5bf289f6aa60a7720fdb7d96f /drivers | |
parent | 6e10001c6e666f7e07e3cfd806d8fa11c4151d00 (diff) | |
download | lwn-f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6.tar.gz lwn-f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6.zip |
nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
When the pn532 uart device is detaching, the pn532_uart_remove()
is called. But there are no functions in pn532_uart_remove() that
could delete the cmd_timeout timer, which will cause use-after-free
bugs. The process is shown below:
(thread 1) | (thread 2)
| pn532_uart_send_frame
pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...)
... | (wait a time)
kfree(pn532) //FREE | pn532_cmd_timeout
| pn532_uart_send_frame
| pn532->... //USE
This patch adds del_timer_sync() in pn532_uart_remove() in order to
prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc()
is well synchronized, it sets nfc_dev->shutting_down to true and there
are no syscalls could restart the cmd_timeout timer.
Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/nfc/pn533/uart.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c index 2caf997f9bc9..07596bf5f7d6 100644 --- a/drivers/nfc/pn533/uart.c +++ b/drivers/nfc/pn533/uart.c @@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev) pn53x_unregister_nfc(pn532->priv); serdev_device_close(serdev); pn53x_common_clean(pn532->priv); + del_timer_sync(&pn532->cmd_timeout); kfree_skb(pn532->recv_skb); kfree(pn532); } |