linux-stable/include/net/nfc/nci_core.h
Lin Ma 48b71a9e66 NFC: add NCI_UNREG flag to eliminate the race
There are two sites that calls queue_work() after the
destroy_workqueue() and lead to possible UAF.

The first site is nci_send_cmd(), which can happen after the
nci_close_device as below

nfcmrvl_nci_unregister_dev   |  nfc_genl_dev_up
  nci_close_device           |
    flush_workqueue          |
    del_timer_sync           |
  nci_unregister_device      |    nfc_get_device
    destroy_workqueue        |    nfc_dev_up
    nfc_unregister_device    |      nci_dev_up
      device_del             |        nci_open_device
                             |          __nci_request
                             |            nci_send_cmd
                             |              queue_work !!!

Another site is nci_cmd_timer, awaked by the nci_cmd_work from the
nci_send_cmd.

  ...                        |  ...
  nci_unregister_device      |  queue_work
    destroy_workqueue        |
    nfc_unregister_device    |  ...
      device_del             |  nci_cmd_work
                             |  mod_timer
                             |  ...
                             |  nci_cmd_timer
                             |    queue_work !!!

For the above two UAF, the root cause is that the nfc_dev_up can race
between the nci_unregister_device routine. Therefore, this patch
introduce NCI_UNREG flag to easily eliminate the possible race. In
addition, the mutex_lock in nci_close_device can act as a barrier.

Signed-off-by: Lin Ma <linma@zju.edu.cn>
Fixes: 6a2968aaf5 ("NFC: basic NCI protocol implementation")
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20211116152732.19238-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-11-17 20:17:05 -08:00

465 lines
13 KiB
C

/* SPDX-License-Identifier: GPL-2.0-only */
/*
* The NFC Controller Interface is the communication protocol between an
* NFC Controller (NFCC) and a Device Host (DH).
*
* Copyright (C) 2011 Texas Instruments, Inc.
* Copyright (C) 2013 Intel Corporation. All rights reserved.
* Copyright (C) 2014 Marvell International Ltd.
*
* Written by Ilan Elias <ilane@ti.com>
*
* Acknowledgements:
* This file is based on hci_core.h, which was written
* by Maxim Krasnyansky.
*/
#ifndef __NCI_CORE_H
#define __NCI_CORE_H
#include <linux/interrupt.h>
#include <linux/skbuff.h>
#include <linux/tty.h>
#include <net/nfc/nfc.h>
#include <net/nfc/nci.h>
/* NCI device flags */
enum nci_flag {
NCI_INIT,
NCI_UP,
NCI_DATA_EXCHANGE,
NCI_DATA_EXCHANGE_TO,
NCI_UNREG,
};
/* NCI device states */
enum nci_state {
NCI_IDLE,
NCI_DISCOVERY,
NCI_W4_ALL_DISCOVERIES,
NCI_W4_HOST_SELECT,
NCI_POLL_ACTIVE,
NCI_LISTEN_ACTIVE,
NCI_LISTEN_SLEEP,
};
/* NCI timeouts */
#define NCI_RESET_TIMEOUT 5000
#define NCI_INIT_TIMEOUT 5000
#define NCI_SET_CONFIG_TIMEOUT 5000
#define NCI_RF_DISC_TIMEOUT 5000
#define NCI_RF_DISC_SELECT_TIMEOUT 5000
#define NCI_RF_DEACTIVATE_TIMEOUT 30000
#define NCI_CMD_TIMEOUT 5000
#define NCI_DATA_TIMEOUT 700
struct nci_dev;
struct nci_driver_ops {
__u16 opcode;
int (*rsp)(struct nci_dev *dev, struct sk_buff *skb);
int (*ntf)(struct nci_dev *dev, struct sk_buff *skb);
};
struct nci_ops {
int (*init)(struct nci_dev *ndev);
int (*open)(struct nci_dev *ndev);
int (*close)(struct nci_dev *ndev);
int (*send)(struct nci_dev *ndev, struct sk_buff *skb);
int (*setup)(struct nci_dev *ndev);
int (*post_setup)(struct nci_dev *ndev);
int (*fw_download)(struct nci_dev *ndev, const char *firmware_name);
__u32 (*get_rfprotocol)(struct nci_dev *ndev, __u8 rf_protocol);
int (*discover_se)(struct nci_dev *ndev);
int (*disable_se)(struct nci_dev *ndev, u32 se_idx);
int (*enable_se)(struct nci_dev *ndev, u32 se_idx);
int (*se_io)(struct nci_dev *ndev, u32 se_idx,
u8 *apdu, size_t apdu_length,
se_io_cb_t cb, void *cb_context);
int (*hci_load_session)(struct nci_dev *ndev);
void (*hci_event_received)(struct nci_dev *ndev, u8 pipe, u8 event,
struct sk_buff *skb);
void (*hci_cmd_received)(struct nci_dev *ndev, u8 pipe, u8 cmd,
struct sk_buff *skb);
const struct nci_driver_ops *prop_ops;
size_t n_prop_ops;
const struct nci_driver_ops *core_ops;
size_t n_core_ops;
};
#define NCI_MAX_SUPPORTED_RF_INTERFACES 4
#define NCI_MAX_DISCOVERED_TARGETS 10
#define NCI_MAX_NUM_NFCEE 255
#define NCI_MAX_CONN_ID 7
#define NCI_MAX_PROPRIETARY_CMD 64
struct nci_conn_info {
struct list_head list;
/* NCI specification 4.4.2 Connection Creation
* The combination of destination type and destination specific
* parameters shall uniquely identify a single destination for the
* Logical Connection
*/
struct dest_spec_params *dest_params;
__u8 dest_type;
__u8 conn_id;
__u8 max_pkt_payload_len;
atomic_t credits_cnt;
__u8 initial_num_credits;
data_exchange_cb_t data_exchange_cb;
void *data_exchange_cb_context;
struct sk_buff *rx_skb;
};
#define NCI_INVALID_CONN_ID 0x80
#define NCI_HCI_ANY_OPEN_PIPE 0x03
/* Gates */
#define NCI_HCI_ADMIN_GATE 0x00
#define NCI_HCI_LOOPBACK_GATE 0x04
#define NCI_HCI_IDENTITY_MGMT_GATE 0x05
#define NCI_HCI_LINK_MGMT_GATE 0x06
/* Pipes */
#define NCI_HCI_LINK_MGMT_PIPE 0x00
#define NCI_HCI_ADMIN_PIPE 0x01
/* Generic responses */
#define NCI_HCI_ANY_OK 0x00
#define NCI_HCI_ANY_E_NOT_CONNECTED 0x01
#define NCI_HCI_ANY_E_CMD_PAR_UNKNOWN 0x02
#define NCI_HCI_ANY_E_NOK 0x03
#define NCI_HCI_ANY_E_PIPES_FULL 0x04
#define NCI_HCI_ANY_E_REG_PAR_UNKNOWN 0x05
#define NCI_HCI_ANY_E_PIPE_NOT_OPENED 0x06
#define NCI_HCI_ANY_E_CMD_NOT_SUPPORTED 0x07
#define NCI_HCI_ANY_E_INHIBITED 0x08
#define NCI_HCI_ANY_E_TIMEOUT 0x09
#define NCI_HCI_ANY_E_REG_ACCESS_DENIED 0x0a
#define NCI_HCI_ANY_E_PIPE_ACCESS_DENIED 0x0b
#define NCI_HCI_DO_NOT_OPEN_PIPE 0x81
#define NCI_HCI_INVALID_PIPE 0x80
#define NCI_HCI_INVALID_GATE 0xFF
#define NCI_HCI_INVALID_HOST 0x80
#define NCI_HCI_MAX_CUSTOM_GATES 50
/*
* According to specification 102 622 chapter 4.4 Pipes,
* the pipe identifier is 7 bits long.
*/
#define NCI_HCI_MAX_PIPES 128
struct nci_hci_gate {
u8 gate;
u8 pipe;
u8 dest_host;
} __packed;
struct nci_hci_pipe {
u8 gate;
u8 host;
} __packed;
struct nci_hci_init_data {
u8 gate_count;
struct nci_hci_gate gates[NCI_HCI_MAX_CUSTOM_GATES];
char session_id[9];
};
#define NCI_HCI_MAX_GATES 256
struct nci_hci_dev {
u8 nfcee_id;
struct nci_dev *ndev;
struct nci_conn_info *conn_info;
struct nci_hci_init_data init_data;
struct nci_hci_pipe pipes[NCI_HCI_MAX_PIPES];
u8 gate2pipe[NCI_HCI_MAX_GATES];
int expected_pipes;
int count_pipes;
struct sk_buff_head rx_hcp_frags;
struct work_struct msg_rx_work;
struct sk_buff_head msg_rx_queue;
};
/* NCI Core structures */
struct nci_dev {
struct nfc_dev *nfc_dev;
const struct nci_ops *ops;
struct nci_hci_dev *hci_dev;
int tx_headroom;
int tx_tailroom;
atomic_t state;
unsigned long flags;
atomic_t cmd_cnt;
__u8 cur_conn_id;
struct list_head conn_info_list;
struct nci_conn_info *rf_conn_info;
struct timer_list cmd_timer;
struct timer_list data_timer;
struct workqueue_struct *cmd_wq;
struct work_struct cmd_work;
struct workqueue_struct *rx_wq;
struct work_struct rx_work;
struct workqueue_struct *tx_wq;
struct work_struct tx_work;
struct sk_buff_head cmd_q;
struct sk_buff_head rx_q;
struct sk_buff_head tx_q;
struct mutex req_lock;
struct completion req_completion;
__u32 req_status;
__u32 req_result;
void *driver_data;
__u32 poll_prots;
__u32 target_active_prot;
struct nfc_target targets[NCI_MAX_DISCOVERED_TARGETS];
int n_targets;
/* received during NCI_OP_CORE_RESET_RSP */
__u8 nci_ver;
/* received during NCI_OP_CORE_INIT_RSP */
__u32 nfcc_features;
__u8 num_supported_rf_interfaces;
__u8 supported_rf_interfaces
[NCI_MAX_SUPPORTED_RF_INTERFACES];
__u8 max_logical_connections;
__u16 max_routing_table_size;
__u8 max_ctrl_pkt_payload_len;
__u16 max_size_for_large_params;
__u8 manufact_id;
__u32 manufact_specific_info;
/* Save RF Discovery ID or NFCEE ID under conn_create */
struct dest_spec_params cur_params;
/* Save destination type under conn_create */
__u8 cur_dest_type;
/* stored during nci_data_exchange */
struct sk_buff *rx_data_reassembly;
/* stored during intf_activated_ntf */
__u8 remote_gb[NFC_MAX_GT_LEN];
__u8 remote_gb_len;
};
/* ----- NCI Devices ----- */
struct nci_dev *nci_allocate_device(const struct nci_ops *ops,
__u32 supported_protocols,
int tx_headroom,
int tx_tailroom);
void nci_free_device(struct nci_dev *ndev);
int nci_register_device(struct nci_dev *ndev);
void nci_unregister_device(struct nci_dev *ndev);
int nci_request(struct nci_dev *ndev,
void (*req)(struct nci_dev *ndev,
const void *opt),
const void *opt, __u32 timeout);
int nci_prop_cmd(struct nci_dev *ndev, __u8 oid, size_t len,
const __u8 *payload);
int nci_core_cmd(struct nci_dev *ndev, __u16 opcode, size_t len,
const __u8 *payload);
int nci_core_reset(struct nci_dev *ndev);
int nci_core_init(struct nci_dev *ndev);
int nci_recv_frame(struct nci_dev *ndev, struct sk_buff *skb);
int nci_send_frame(struct nci_dev *ndev, struct sk_buff *skb);
int nci_set_config(struct nci_dev *ndev, __u8 id, size_t len, const __u8 *val);
int nci_nfcee_discover(struct nci_dev *ndev, u8 action);
int nci_nfcee_mode_set(struct nci_dev *ndev, u8 nfcee_id, u8 nfcee_mode);
int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type,
u8 number_destination_params,
size_t params_len,
const struct core_conn_create_dest_spec_params *params);
int nci_core_conn_close(struct nci_dev *ndev, u8 conn_id);
int nci_nfcc_loopback(struct nci_dev *ndev, const void *data, size_t data_len,
struct sk_buff **resp);
struct nci_hci_dev *nci_hci_allocate(struct nci_dev *ndev);
void nci_hci_deallocate(struct nci_dev *ndev);
int nci_hci_send_event(struct nci_dev *ndev, u8 gate, u8 event,
const u8 *param, size_t param_len);
int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate,
u8 cmd, const u8 *param, size_t param_len,
struct sk_buff **skb);
int nci_hci_open_pipe(struct nci_dev *ndev, u8 pipe);
int nci_hci_connect_gate(struct nci_dev *ndev, u8 dest_host,
u8 dest_gate, u8 pipe);
int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx,
const u8 *param, size_t param_len);
int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx,
struct sk_buff **skb);
int nci_hci_clear_all_pipes(struct nci_dev *ndev);
int nci_hci_dev_session_init(struct nci_dev *ndev);
static inline struct sk_buff *nci_skb_alloc(struct nci_dev *ndev,
unsigned int len,
gfp_t how)
{
struct sk_buff *skb;
skb = alloc_skb(len + ndev->tx_headroom + ndev->tx_tailroom, how);
if (skb)
skb_reserve(skb, ndev->tx_headroom);
return skb;
}
static inline void nci_set_parent_dev(struct nci_dev *ndev, struct device *dev)
{
nfc_set_parent_dev(ndev->nfc_dev, dev);
}
static inline void nci_set_drvdata(struct nci_dev *ndev, void *data)
{
ndev->driver_data = data;
}
static inline void *nci_get_drvdata(struct nci_dev *ndev)
{
return ndev->driver_data;
}
static inline int nci_set_vendor_cmds(struct nci_dev *ndev,
const struct nfc_vendor_cmd *cmds,
int n_cmds)
{
return nfc_set_vendor_cmds(ndev->nfc_dev, cmds, n_cmds);
}
void nci_rsp_packet(struct nci_dev *ndev, struct sk_buff *skb);
void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb);
int nci_prop_rsp_packet(struct nci_dev *ndev, __u16 opcode,
struct sk_buff *skb);
int nci_prop_ntf_packet(struct nci_dev *ndev, __u16 opcode,
struct sk_buff *skb);
int nci_core_rsp_packet(struct nci_dev *ndev, __u16 opcode,
struct sk_buff *skb);
int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode,
struct sk_buff *skb);
void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb);
int nci_send_cmd(struct nci_dev *ndev, __u16 opcode, __u8 plen, const void *payload);
int nci_send_data(struct nci_dev *ndev, __u8 conn_id, struct sk_buff *skb);
int nci_conn_max_data_pkt_payload_size(struct nci_dev *ndev, __u8 conn_id);
void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
__u8 conn_id, int err);
void nci_hci_data_received_cb(void *context, struct sk_buff *skb, int err);
void nci_clear_target_list(struct nci_dev *ndev);
/* ----- NCI requests ----- */
#define NCI_REQ_DONE 0
#define NCI_REQ_PEND 1
#define NCI_REQ_CANCELED 2
void nci_req_complete(struct nci_dev *ndev, int result);
struct nci_conn_info *nci_get_conn_info_by_conn_id(struct nci_dev *ndev,
int conn_id);
int nci_get_conn_info_by_dest_type_params(struct nci_dev *ndev, u8 dest_type,
const struct dest_spec_params *params);
/* ----- NCI status code ----- */
int nci_to_errno(__u8 code);
/* ----- NCI over SPI acknowledge modes ----- */
#define NCI_SPI_CRC_DISABLED 0x00
#define NCI_SPI_CRC_ENABLED 0x01
/* ----- NCI SPI structures ----- */
struct nci_spi {
struct nci_dev *ndev;
struct spi_device *spi;
unsigned int xfer_udelay; /* microseconds delay between
transactions */
unsigned int xfer_speed_hz; /*
* SPI clock frequency
* 0 => default clock
*/
u8 acknowledge_mode;
struct completion req_completion;
u8 req_result;
};
/* ----- NCI SPI ----- */
struct nci_spi *nci_spi_allocate_spi(struct spi_device *spi,
u8 acknowledge_mode, unsigned int delay,
struct nci_dev *ndev);
int nci_spi_send(struct nci_spi *nspi,
struct completion *write_handshake_completion,
struct sk_buff *skb);
struct sk_buff *nci_spi_read(struct nci_spi *nspi);
/* ----- NCI UART ---- */
/* Ioctl */
#define NCIUARTSETDRIVER _IOW('U', 0, char *)
enum nci_uart_driver {
NCI_UART_DRIVER_MARVELL = 0,
NCI_UART_DRIVER_MAX
};
struct nci_uart;
struct nci_uart_ops {
int (*open)(struct nci_uart *nci_uart);
void (*close)(struct nci_uart *nci_uart);
int (*recv)(struct nci_uart *nci_uart, struct sk_buff *skb);
int (*send)(struct nci_uart *nci_uart, struct sk_buff *skb);
void (*tx_start)(struct nci_uart *nci_uart);
void (*tx_done)(struct nci_uart *nci_uart);
};
struct nci_uart {
struct module *owner;
struct nci_uart_ops ops;
const char *name;
enum nci_uart_driver driver;
/* Dynamic data */
struct nci_dev *ndev;
spinlock_t rx_lock;
struct work_struct write_work;
struct tty_struct *tty;
unsigned long tx_state;
struct sk_buff_head tx_q;
struct sk_buff *tx_skb;
struct sk_buff *rx_skb;
int rx_packet_len;
void *drv_data;
};
int nci_uart_register(struct nci_uart *nu);
void nci_uart_unregister(struct nci_uart *nu);
void nci_uart_set_config(struct nci_uart *nu, int baudrate, int flow_ctrl);
#endif /* __NCI_CORE_H */