| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1482380314-16440-3-git-send-email-geoff@kuvee.com>
Date: Wed, 21 Dec 2016 23:18:34 -0500
From: Geoff Lansberry <geoff@...ee.com>
To: linux-wireless@...r.kernel.org
Cc: lauro.venancio@...nbossa.org, aloisio.almeida@...nbossa.org,
sameo@...ux.intel.com, robh+dt@...nel.org, mark.rutland@....com,
netdev@...r.kernel.org, devicetree@...r.kernel.org,
linux-kernel@...r.kernel.org, mgreer@...malcreek.com,
justin@...ee.com, Jaret Cantu <jaret.cantu@...esys.com>,
Geoff Lansberry <geoff@...ee.com>
Subject: [PATCH v3 3/3] nfc: trf7970a: Prevent repeated polling from crashing the kernel
From: Jaret Cantu <jaret.cantu@...esys.com>
Repeated polling attempts cause a NULL dereference error to occur.
This is because the state of the trf7970a is currently reading but
another request has been made to send a command before it has finished.
The solution is to properly kill the waiting reading (workqueue)
before failing on the send.
Signed-off-by: Geoff Lansberry <geoff@...ee.com>
---
drivers/nfc/trf7970a.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c
index e3c72c6..ba5f9b8 100644
--- a/drivers/nfc/trf7970a.c
+++ b/drivers/nfc/trf7970a.c
@@ -1496,6 +1496,10 @@ static int trf7970a_send_cmd(struct nfc_digital_dev *ddev,
(trf->state != TRF7970A_ST_IDLE_RX_BLOCKED)) {
dev_err(trf->dev, "%s - Bogus state: %d\n", __func__,
trf->state);
+ if (trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA ||
+ trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA_CONT)
+ trf->ignore_timeout =
+ !cancel_delayed_work(&trf->timeout_work);
ret = -EIO;
goto out_err;
}
--
2.7.4
Powered by blists - more mailing lists