Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934730AbcLTQPL (ORCPT ); Tue, 20 Dec 2016 11:15:11 -0500 Received: from mail-qt0-f174.google.com ([209.85.216.174]:36393 "EHLO mail-qt0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1763837AbcLTQLM (ORCPT ); Tue, 20 Dec 2016 11:11:12 -0500 From: Geoff Lansberry X-Google-Original-From: Geoff Lansberry To: linux-wireless@vger.kernel.org Cc: lauro.venancio@openbossa.org, aloisio.almeida@openbossa.org, sameo@linux.intel.com, robh+dt@kernel.org, mark.rutland@arm.com, netdev@vger.kernel.org, devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, mgreer@animalcreek.com, justin@kuvee.com, Jaret Cantu , Geoff Lansberry Subject: [PATCH 2/3] nfc: trf7970a: Prevent repeated polling from crashing the kernel Date: Tue, 20 Dec 2016 11:10:47 -0500 Message-Id: <1482250250-4192-4-git-send-email-glansberry@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1482250250-4192-1-git-send-email-glansberry@gmail.com> References: <1482250250-4192-1-git-send-email-glansberry@gmail.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1044 Lines: 29 From: Jaret Cantu Repeated polling attempts cause a NULL dereference error to occur. This is because the state of the trf7970a is currently reading but another request has been made to send a command before it has finished. The solution is to properly kill the waiting reading (workqueue) before failing on the send. --- drivers/nfc/trf7970a.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c index 94c31f8..e9e93ea 100644 --- a/drivers/nfc/trf7970a.c +++ b/drivers/nfc/trf7970a.c @@ -1496,6 +1496,10 @@ static int trf7970a_send_cmd(struct nfc_digital_dev *ddev, (trf->state != TRF7970A_ST_IDLE_RX_BLOCKED)) { dev_err(trf->dev, "%s - Bogus state: %d\n", __func__, trf->state); + if (trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA || + trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA_CONT) + trf->ignore_timeout = + !cancel_delayed_work(&trf->timeout_work); ret = -EIO; goto out_err; } -- Signed-off-by: Geoff Lansberry