linux-brain

History

Krzysztof Kozlowski 6cf2abea10 nfc: nfcsim: fix use after free during module unload commit 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 upstream. There is a use after free memory corruption during module exit: - nfcsim_exit() - nfcsim_device_free(dev0) - nfc_digital_unregister_device() This iterates over command queue and frees all commands, - dev->up = false - nfcsim_link_shutdown() - nfcsim_link_recv_wake() This wakes the sleeping thread nfcsim_link_recv_skb(). - nfcsim_link_recv_skb() Wake from wait_event_interruptible_timeout(), call directly the deb->cb callback even though (dev->up == false), - digital_send_cmd_complete() Dereference of "struct digital_cmd" cmd which was freed earlier by nfc_digital_unregister_device(). This causes memory corruption shortly after (with unrelated stack trace): nfc nfc0: NFC: nfcsim_recv_wq: Device is down llcp: nfc_llcp_recv: err -19 nfc nfc1: NFC: nfcsim_recv_wq: Device is down BUG: unable to handle page fault for address: ffffffffffffffed Call Trace: fsnotify+0x54b/0x5c0 __fsnotify_parent+0x1fe/0x300 ? vfs_write+0x27c/0x390 vfs_write+0x27c/0x390 ksys_write+0x63/0xe0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae KASAN report: BUG: KASAN: use-after-free in digital_send_cmd_complete+0x16/0x50 Write of size 8 at addr ffff88800a05f720 by task kworker/0:2/71 Workqueue: events nfcsim_recv_wq [nfcsim] Call Trace: dump_stack_lvl+0x45/0x59 print_address_description.constprop.0+0x21/0x140 ? digital_send_cmd_complete+0x16/0x50 ? digital_send_cmd_complete+0x16/0x50 kasan_report.cold+0x7f/0x11b ? digital_send_cmd_complete+0x16/0x50 ? digital_dep_link_down+0x60/0x60 digital_send_cmd_complete+0x16/0x50 nfcsim_recv_wq+0x38f/0x3d5 [nfcsim] ? nfcsim_in_send_cmd+0x4a/0x4a [nfcsim] ? lock_is_held_type+0x98/0x110 ? finish_wait+0x110/0x110 ? rcu_read_lock_sched_held+0x9c/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x12e/0x1f0 This flow of calling digital_send_cmd_complete() callback on driver exit is specific to nfcsim which implements reading and sending work queues. Since the NFC digital device was unregistered, the callback should not be called. Fixes: `204bddcb50` ("NFC: nfcsim: Make use of the Digital layer") Cc: <stable@vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2021-08-04 12:27:38 +02:00
..
fdp	NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()	2020-04-01 11:01:38 +02:00
microread	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 399	2019-06-05 17:37:12 +02:00
nfcmrvl	NFC: nfcmrvl: fix gpio-handling regression	2019-08-05 10:25:48 -07:00
nxp-nci	NFC: nxp-nci: Fix probing without ACPI	2019-12-31 16:41:49 +01:00
pn533	nfc: pn533: prevent potential memory corruption	2021-05-14 09:44:27 +02:00
pn544	nfc: pn544: Fix occasional HW initialization failure	2020-03-05 16:43:32 +01:00
s3fwrn5	nfc: s3fwrn5: Release the nfc firmware	2020-12-30 11:51:26 +01:00
st-nci	st_nci_hci_connectivity_event_received: null check the allocation	2019-07-25 11:48:06 -07:00
st21nfca	NFC: st21nfca: add missed kfree_skb() in an error path	2020-06-10 20:24:54 +02:00
st95hf	NFC: st95hf: Fix memleak in st95hf_in_send_cmd	2020-09-17 13:47:45 +02:00
Kconfig	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
Makefile	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
mei_phy.c	nfc/mei: convert to SPDX license tags	2019-03-28 02:07:54 +09:00
mei_phy.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
nfcsim.c	nfc: nfcsim: fix use after free during module unload	2021-08-04 12:27:38 +02:00
port100.c	NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu().	2020-02-24 08:36:33 +01:00
trf7970a.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 417	2019-06-05 17:37:15 +02:00