From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ruiyu.ni@intel.com>
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 4FC4381C59
 for <edk2-devel@lists.01.org>; Wed, 14 Dec 2016 02:01:28 -0800 (PST)
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
 by orsmga105.jf.intel.com with ESMTP; 14 Dec 2016 02:01:27 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.33,346,1477983600"; d="scan'208";a="42361795"
Received: from ray-dev.ccr.corp.intel.com ([10.239.9.25])
 by fmsmga005.fm.intel.com with ESMTP; 14 Dec 2016 02:01:27 -0800
From: Ruiyu Ni <ruiyu.ni@intel.com>
To: edk2-devel@lists.01.org
Cc: Feng Tian <feng.tian@intel.com>,
	Boaz Kahana <Boaz.Kahana@phoenix.com>
Date: Wed, 14 Dec 2016 18:01:22 +0800
Message-Id: <20161214100122.264152-1-ruiyu.ni@intel.com>
X-Mailer: git-send-email 2.9.0.windows.1
Subject: [PATCH] FatPkg/EnhancedFatDxe: Fix potential hang in async file IO
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2016 10:01:28 -0000

FatQueueTask() is running at TPL_APPLICATION, while
FatDestroySubtask() is running at TPL_NOTIFY, it's possible
for a task containing 2 sub tasks, when the for-loop
executes GetNextNode (&Task->Subtasks, Link), the memory
occupied by Link is freed in FatDestroySubtask().

The fix stores the next link in NextLink so that the delete
in FatDestroySubtask() is safe.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Boaz Kahana <Boaz.Kahana@phoenix.com>
---
 FatPkg/EnhancedFatDxe/Misc.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/FatPkg/EnhancedFatDxe/Misc.c b/FatPkg/EnhancedFatDxe/Misc.c
index c035670..cef1acd 100644
--- a/FatPkg/EnhancedFatDxe/Misc.c
+++ b/FatPkg/EnhancedFatDxe/Misc.c
@@ -1,7 +1,7 @@
 /** @file
   Miscellaneous functions.
 
-Copyright (c) 2005 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2016, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials are licensed and made available
 under the terms and conditions of the BSD License which accompanies this
 distribution. The full text of the license may be found at
@@ -132,6 +132,7 @@ FatQueueTask (
 {
   EFI_STATUS          Status;
   LIST_ENTRY          *Link;
+  LIST_ENTRY          *NextLink;
   FAT_SUBTASK         *Subtask;
 
   //
@@ -149,9 +150,13 @@ FatQueueTask (
   EfiReleaseLock (&FatTaskLock);
 
   Status = EFI_SUCCESS;
-  for ( Link = GetFirstNode (&Task->Subtasks)
+  //
+  // Use NextLink to store the next link since Link might be freed in the end of previous loop,
+  // resulting next link cannot be retrieved from Link.
+  //
+  for ( Link = GetFirstNode (&Task->Subtasks), NextLink = GetNextNode (&Task->Subtasks, Link)
       ; !IsNull (&Task->Subtasks, Link)
-      ; Link = GetNextNode (&Task->Subtasks, Link)
+      ; Link = NextLink, NextLink = GetNextNode (&Task->Subtasks, Link)
       ) {
     Subtask = CR (Link, FAT_SUBTASK, Link, FAT_SUBTASK_SIGNATURE);
     if (Subtask->Write) {
-- 
2.9.0.windows.1