Re: [PATCH v2] nfc: llcp: Fix race in handling llcp_devices

From: Paolo Abeni
Date: Tue Dec 06 2022 - 06:10:25 EST

Next message: Quentin Schulz: "Re: [PATCH v3 6/9] arm64: dts: allwinner: fix touchscreen reset GPIO polarity"
Previous message: Lukasz Luba: "Re: [PATCH] cpufreq: schedutil: Optimize operations with single max CPU capacity"
In reply to: Wang ShaoBo: "[PATCH v2] nfc: llcp: Fix race in handling llcp_devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

On Sat, 2022-12-03 at 15:12 +0800, Wang ShaoBo wrote:
> @@ -282,9 +285,13 @@ struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev)
> {
> struct nfc_llcp_local *local;
>
> + spin_lock(&llcp_devices_list_lock);
> list_for_each_entry(local, &llcp_devices, list)
> - if (local->dev == dev)
> + if (local->dev == dev) {
> + spin_unlock(&llcp_devices_list_lock);

I'm sorry for not noticing the above earlier, but it looks like this is
not enough. At this point local_release() may kick in and free 'local':
the caller will experience UaF.

You could acquire a reference here and let the caller release it.

If the above race is not possible due to some other safeguards, it
should at least be documented clearly here.

Thanks,

Paolo

Next message: Quentin Schulz: "Re: [PATCH v3 6/9] arm64: dts: allwinner: fix touchscreen reset GPIO polarity"
Previous message: Lukasz Luba: "Re: [PATCH] cpufreq: schedutil: Optimize operations with single max CPU capacity"
In reply to: Wang ShaoBo: "[PATCH v2] nfc: llcp: Fix race in handling llcp_devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]