Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp5931013ybx;
        Mon, 11 Nov 2019 00:48:11 -0800 (PST)
X-Google-Smtp-Source: APXvYqz5Zm1lRCPTM+0FL+/eMW83B25UGYKY170oOnd0/kdN5IKSE9j8LnWCxUWqJOd9Q68WfWpV
X-Received: by 2002:aa7:d496:: with SMTP id b22mr25088363edr.122.1573462091628;
        Mon, 11 Nov 2019 00:48:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1573462091; cv=none;
        d=google.com; s=arc-20160816;
        b=sUuobno9+BYkZuG8Uz8Ijw9S9ShpH/B055UDZjF3oImj9PE5hrMgmRU/tfgomulMWK
         e65Sdg/5idlALt4xJqu3kwYEWMuax20AYOjaNyX9KhycbhYVcTVF1CB1GNsAZhqQQ+T6
         bKzMkbPtenylmhcsNJIqF5Bn1pXcZoLCO/tioPJqNR8ukeF4oVqST612g+umv1dpRBBE
         /tmUrk75nO8mQUX70N4KJ4BxbiWVcR6LrxUddbRpXhj/rooMLGBo1MKOzQaj8z2ooud1
         yS6eLT12KZasNcc/n854occlEpXGMN0OsU8Y10xP4AbnPr4xrZdIaZB0f0Ye07T8L9Bl
         xsFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:organization:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=ujVhfMN/5JHFd5sgoHLmLVH3GLgOoeYzPX2C3//GYak=;
        b=DmRK4t0ctQ6/gLfYnrAliH/cFGD0GZOEQXarL+dBlwBJbgYRHqzs0R1VJWaV4a7m9T
         6dBpvEDd0YGEgep59Q5GeaXLkes8cwsQxjCG5UTQwLsqUz6JjOT0k6Xe0MY0f/n/XLer
         kCztO/J6hZ8ena/aa68wk6hRn1ifv+Vi/boKbYp4GFVRIN1ZKD0EzApw2RHYbTyOGiiV
         VWaajxFchO2HlExOD36bxI3TEdf4InAR/vSKKeJ3WuApDWeAxqTMxDta++hLhgXhpI0i
         BxJNWJDsW4MeNp8NTqOJ2VIXTZqN9Qqi45kidDKKQ8bQVgx11ea4aQZrFVpj8dq122ej
         G0Jw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c8si9019242eja.67.2019.11.11.00.47.48;
        Mon, 11 Nov 2019 00:48:11 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727015AbfKKIns (ORCPT <rfc822;rruigrok1@gmail.com> + 99 others);
        Mon, 11 Nov 2019 03:43:48 -0500
Received: from mga06.intel.com ([134.134.136.31]:35315 "EHLO mga06.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726804AbfKKInr (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Nov 2019 03:43:47 -0500
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Nov 2019 00:43:46 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.68,292,1569308400"; 
   d="scan'208";a="405132573"
Received: from smile.fi.intel.com (HELO smile) ([10.237.68.40])
  by fmsmga006.fm.intel.com with ESMTP; 11 Nov 2019 00:43:43 -0800
Received: from andy by smile with local (Exim 4.93-RC1)
        (envelope-from <andriy.shevchenko@linux.intel.com>)
        id 1iU5IV-0006mB-6r; Mon, 11 Nov 2019 10:43:43 +0200
Date:   Mon, 11 Nov 2019 10:43:43 +0200
From:   Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To:     Stephan Gerhold <stephan@gerhold.net>
Cc:     "David S. Miller" <davem@davemloft.net>,
        =?iso-8859-1?Q?Cl=E9ment?= Perrochaud 
        <clement.perrochaud@effinnov.com>,
        Charles Gorand <charles.gorand@effinnov.com>,
        linux-nfc@lists.01.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, Sedat Dilek <sedat.dilek@credativ.de>
Subject: Re: [PATCH] NFC: nxp-nci: Fix NULL pointer dereference after I2C
 communication error
Message-ID: <20191111084343.GM32742@smile.fi.intel.com>
References: <20191110161915.11059-1-stephan@gerhold.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20191110161915.11059-1-stephan@gerhold.net>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Nov 10, 2019 at 05:19:15PM +0100, Stephan Gerhold wrote:
> I2C communication errors (-EREMOTEIO) during the IRQ handler of nxp-nci
> result in a NULL pointer dereference at the moment:
> 
>     BUG: kernel NULL pointer dereference, address: 0000000000000000
>     Oops: 0002 [#1] PREEMPT SMP NOPTI
>     CPU: 1 PID: 355 Comm: irq/137-nxp-nci Not tainted 5.4.0-rc6 #1
>     RIP: 0010:skb_queue_tail+0x25/0x50
>     Call Trace:
>      nci_recv_frame+0x36/0x90 [nci]
>      nxp_nci_i2c_irq_thread_fn+0xd1/0x285 [nxp_nci_i2c]
>      ? preempt_count_add+0x68/0xa0
>      ? irq_forced_thread_fn+0x80/0x80
>      irq_thread_fn+0x20/0x60
>      irq_thread+0xee/0x180
>      ? wake_threads_waitq+0x30/0x30
>      kthread+0xfb/0x130
>      ? irq_thread_check_affinity+0xd0/0xd0
>      ? kthread_park+0x90/0x90
>      ret_from_fork+0x1f/0x40
> 
> Afterward the kernel must be rebooted to work properly again.
> 
> This happens because it attempts to call nci_recv_frame() with skb == NULL.
> However, unlike nxp_nci_fw_recv_frame(), nci_recv_frame() does not have any
> NULL checks for skb, causing the NULL pointer dereference.
> 
> Change the code to call only nxp_nci_fw_recv_frame() in case of an error.
> Make sure to log it so it is obvious that a communication error occurred.
> The error above then becomes:
> 
>     nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
>     nci: __nci_request: wait_for_completion_interruptible_timeout failed 0
>     nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
> 

FWIW,
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

> Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
> Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
> ---
> Note: Not sure why NFC is broken on this laptop (a Lenovo ThinkPad L490).
> It runs into the I2C communication errors immediately when enabling NFC.
> This patch fixes the NULL pointer dereference at least.
> ---
>  drivers/nfc/nxp-nci/i2c.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
> index 307bd2afbe05..4d1909aecd6c 100644
> --- a/drivers/nfc/nxp-nci/i2c.c
> +++ b/drivers/nfc/nxp-nci/i2c.c
> @@ -220,8 +220,10 @@ static irqreturn_t nxp_nci_i2c_irq_thread_fn(int irq, void *phy_id)
>  
>  	if (r == -EREMOTEIO) {
>  		phy->hard_fault = r;
> -		skb = NULL;
> -	} else if (r < 0) {
> +		if (info->mode == NXP_NCI_MODE_FW)
> +			nxp_nci_fw_recv_frame(phy->ndev, NULL);
> +	}
> +	if (r < 0) {
>  		nfc_err(&client->dev, "Read failed with error %d\n", r);
>  		goto exit_irq_handled;
>  	}
> -- 
> 2.23.0
> 

-- 
With Best Regards,
Andy Shevchenko