NFC: hci: fix sleep in atomic context bugs in nfc_hci_hcp_message_tx

There are sleep in atomic context bugs when the request to secure
element of st21nfca is timeout. The root cause is that kzalloc and
alloc_skb with GFP_KERNEL parameter and mutex_lock are called in
st21nfca_se_wt_timeout which is a timer handler. The call tree shows
the execution paths that could lead to bugs:

   (Interrupt context)
st21nfca_se_wt_timeout
  nfc_hci_send_event
    nfc_hci_hcp_message_tx
      kzalloc(..., GFP_KERNEL) //may sleep
      alloc_skb(..., GFP_KERNEL) //may sleep
      mutex_lock() //may sleep

This patch moves the operations that may sleep into a work item.
The work item will run in another kernel thread which is in
process context to execute the bottom half of the interrupt.
So it could prevent atomic context from sleeping.

Fixes: 2130fb97fe ("NFC: st21nfca: Adding support for secure element")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20220518115733.62111-1-duoming@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Duoming Zhou 2022-05-18 19:57:33 +08:00 committed by Jakub Kicinski
parent 582a2dbc72
commit b413b0cb00
2 changed files with 15 additions and 3 deletions

View File

@ -241,7 +241,7 @@ int st21nfca_hci_se_io(struct nfc_hci_dev *hdev, u32 se_idx,
} }
EXPORT_SYMBOL(st21nfca_hci_se_io); EXPORT_SYMBOL(st21nfca_hci_se_io);
static void st21nfca_se_wt_timeout(struct timer_list *t) static void st21nfca_se_wt_work(struct work_struct *work)
{ {
/* /*
* No answer from the secure element * No answer from the secure element
@ -254,8 +254,9 @@ static void st21nfca_se_wt_timeout(struct timer_list *t)
*/ */
/* hardware reset managed through VCC_UICC_OUT power supply */ /* hardware reset managed through VCC_UICC_OUT power supply */
u8 param = 0x01; u8 param = 0x01;
struct st21nfca_hci_info *info = from_timer(info, t, struct st21nfca_hci_info *info = container_of(work,
se_info.bwi_timer); struct st21nfca_hci_info,
se_info.timeout_work);
info->se_info.bwi_active = false; info->se_info.bwi_active = false;
@ -271,6 +272,13 @@ static void st21nfca_se_wt_timeout(struct timer_list *t)
info->se_info.cb(info->se_info.cb_context, NULL, 0, -ETIME); info->se_info.cb(info->se_info.cb_context, NULL, 0, -ETIME);
} }
static void st21nfca_se_wt_timeout(struct timer_list *t)
{
struct st21nfca_hci_info *info = from_timer(info, t, se_info.bwi_timer);
schedule_work(&info->se_info.timeout_work);
}
static void st21nfca_se_activation_timeout(struct timer_list *t) static void st21nfca_se_activation_timeout(struct timer_list *t)
{ {
struct st21nfca_hci_info *info = from_timer(info, t, struct st21nfca_hci_info *info = from_timer(info, t,
@ -360,6 +368,7 @@ int st21nfca_apdu_reader_event_received(struct nfc_hci_dev *hdev,
switch (event) { switch (event) {
case ST21NFCA_EVT_TRANSMIT_DATA: case ST21NFCA_EVT_TRANSMIT_DATA:
del_timer_sync(&info->se_info.bwi_timer); del_timer_sync(&info->se_info.bwi_timer);
cancel_work_sync(&info->se_info.timeout_work);
info->se_info.bwi_active = false; info->se_info.bwi_active = false;
r = nfc_hci_send_event(hdev, ST21NFCA_DEVICE_MGNT_GATE, r = nfc_hci_send_event(hdev, ST21NFCA_DEVICE_MGNT_GATE,
ST21NFCA_EVT_SE_END_OF_APDU_TRANSFER, NULL, 0); ST21NFCA_EVT_SE_END_OF_APDU_TRANSFER, NULL, 0);
@ -389,6 +398,7 @@ void st21nfca_se_init(struct nfc_hci_dev *hdev)
struct st21nfca_hci_info *info = nfc_hci_get_clientdata(hdev); struct st21nfca_hci_info *info = nfc_hci_get_clientdata(hdev);
init_completion(&info->se_info.req_completion); init_completion(&info->se_info.req_completion);
INIT_WORK(&info->se_info.timeout_work, st21nfca_se_wt_work);
/* initialize timers */ /* initialize timers */
timer_setup(&info->se_info.bwi_timer, st21nfca_se_wt_timeout, 0); timer_setup(&info->se_info.bwi_timer, st21nfca_se_wt_timeout, 0);
info->se_info.bwi_active = false; info->se_info.bwi_active = false;
@ -416,6 +426,7 @@ void st21nfca_se_deinit(struct nfc_hci_dev *hdev)
if (info->se_info.se_active) if (info->se_info.se_active)
del_timer_sync(&info->se_info.se_active_timer); del_timer_sync(&info->se_info.se_active_timer);
cancel_work_sync(&info->se_info.timeout_work);
info->se_info.bwi_active = false; info->se_info.bwi_active = false;
info->se_info.se_active = false; info->se_info.se_active = false;
} }

View File

@ -141,6 +141,7 @@ struct st21nfca_se_info {
se_io_cb_t cb; se_io_cb_t cb;
void *cb_context; void *cb_context;
struct work_struct timeout_work;
}; };
struct st21nfca_hci_info { struct st21nfca_hci_info {