nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout

stonezdm · davem330 · commit f1e941dbf80a · 2022-08-22T14:51:30.000+01:00
When the pn532 uart device is detaching, the pn532_uart_remove() is called. But there are no functions in pn532_uart_remove() that could delete the cmd_timeout timer, which will cause use-after-free bugs. The process is shown below: (thread 1) | (thread 2) | pn532_uart_send_frame pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...) ... | (wait a time) kfree(pn532) //FREE | pn532_cmd_timeout | pn532_uart_send_frame | pn532->... //USE This patch adds del_timer_sync() in pn532_uart_remove() in order to prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc() is well synchronized, it sets nfc_dev->shutting_down to true and there are no syscalls could restart the cmd_timeout timer. Fixes: c656aa4 ("nfc: pn533: add UART phy driver") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
@@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev)
 	pn53x_unregister_nfc(pn532->priv);
 	serdev_device_close(serdev);
 	pn53x_common_clean(pn532->priv);
+	del_timer_sync(&pn532->cmd_timeout);
 	kfree_skb(pn532->recv_skb);
 	kfree(pn532);
 }

Original file line number	Diff line number	Diff line change
`@@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev)`
`310`	`310`	`pn53x_unregister_nfc(pn532->priv);`
`311`	`311`	`serdev_device_close(serdev);`
`312`	`312`	`pn53x_common_clean(pn532->priv);`
	`313`	`+ del_timer_sync(&pn532->cmd_timeout);`
`313`	`314`	`kfree_skb(pn532->recv_skb);`
`314`	`315`	`kfree(pn532);`
`315`	`316`	`}`