lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Dec 2016 11:16:32 -0500 From: Geoff Lansberry <geoff@...ee.com> To: linux-wireless@...r.kernel.org Cc: lauro.venancio@...nbossa.org, aloisio.almeida@...nbossa.org, sameo@...ux.intel.com, robh+dt@...nel.org, mark.rutland@....com, netdev@...r.kernel.org, devicetree@...r.kernel.org, linux-kernel@...r.kernel.org, mgreer@...malcreek.com, justin@...ee.com, Jaret Cantu <jaret.cantu@...esys.com>, Geoff Lansberry <geoff@...ee.com> Subject: [PATCH 3/3] nfc: trf7970a: Prevent repeated polling from crashing the kernel From: Jaret Cantu <jaret.cantu@...esys.com> Repeated polling attempts cause a NULL dereference error to occur. This is because the state of the trf7970a is currently reading but another request has been made to send a command before it has finished. The solution is to properly kill the waiting reading (workqueue) before failing on the send. --- drivers/nfc/trf7970a.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c index 8a88195..5916737 100644 --- a/drivers/nfc/trf7970a.c +++ b/drivers/nfc/trf7970a.c @@ -1496,6 +1496,10 @@ static int trf7970a_send_cmd(struct nfc_digital_dev *ddev, (trf->state != TRF7970A_ST_IDLE_RX_BLOCKED)) { dev_err(trf->dev, "%s - Bogus state: %d\n", __func__, trf->state); + if (trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA || + trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA_CONT) + trf->ignore_timeout = + !cancel_delayed_work(&trf->timeout_work); ret = -EIO; goto out_err; } -- Signed-off-by: Geoff Lansberry <geoff@...ee.com>
Powered by blists - more mailing lists