Patch "nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 28 Aug 2022 10:36:56 -0400

This is a note to let you know that I've just added the patch titled

    nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfc-pn533-fix-use-after-free-bugs-caused-by-pn532_cm.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 026159b03374fedf1fa7ee16d9b6016057a90e41
Author: Duoming Zhou <duoming@xxxxxxxxxx>
Date:   Thu Aug 18 17:06:21 2022 +0800

    nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
    
    [ Upstream commit f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6 ]
    
    When the pn532 uart device is detaching, the pn532_uart_remove()
    is called. But there are no functions in pn532_uart_remove() that
    could delete the cmd_timeout timer, which will cause use-after-free
    bugs. The process is shown below:
    
        (thread 1)                  |        (thread 2)
                                    |  pn532_uart_send_frame
    pn532_uart_remove               |    mod_timer(&pn532->cmd_timeout,...)
      ...                           |    (wait a time)
      kfree(pn532) //FREE           |    pn532_cmd_timeout
                                    |      pn532_uart_send_frame
                                    |        pn532->... //USE
    
    This patch adds del_timer_sync() in pn532_uart_remove() in order to
    prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc()
    is well synchronized, it sets nfc_dev->shutting_down to true and there
    are no syscalls could restart the cmd_timeout timer.
    
    Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
    Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
index 7bdaf82630706..7ad98973648cc 100644
--- a/drivers/nfc/pn533/uart.c
+++ b/drivers/nfc/pn533/uart.c
@@ -310,6 +310,7 @@ static void pn532_uart_remove(struct serdev_device *serdev)
 	pn53x_unregister_nfc(pn532->priv);
 	serdev_device_close(serdev);
 	pn53x_common_clean(pn532->priv);
+	del_timer_sync(&pn532->cmd_timeout);
 	kfree_skb(pn532->recv_skb);
 	kfree(pn532);
 }






