Re: [PATCH 3/3] nfc: trf7970a: Prevent repeated polling from crashing the kernel
On Tue, Dec 20, 2016 at 11:16:32AM -0500, Geoff Lansberry wrote: > From: Jaret Cantu> > Repeated polling attempts cause a NULL dereference error to occur. > This is because the state of the trf7970a is currently reading but > another request has been made to send a command before it has finished. How is this happening? Was trf7970a_abort_cmd() called and it didn't work right? Was it not called at all and there is a bug in the digital layer? More details please. > The solution is to properly kill the waiting reading (workqueue) > before failing on the send. If the bug is in the calling code, then that is what should get fixed. This seems to be a hack to work-around a digital layer bug. Mark --
[PATCH 3/3] nfc: trf7970a: Prevent repeated polling from crashing the kernel
From: Jaret CantuRepeated polling attempts cause a NULL dereference error to occur. This is because the state of the trf7970a is currently reading but another request has been made to send a command before it has finished. The solution is to properly kill the waiting reading (workqueue) before failing on the send. --- drivers/nfc/trf7970a.c | 4 1 file changed, 4 insertions(+) diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c index 8a88195..5916737 100644 --- a/drivers/nfc/trf7970a.c +++ b/drivers/nfc/trf7970a.c @@ -1496,6 +1496,10 @@ static int trf7970a_send_cmd(struct nfc_digital_dev *ddev, (trf->state != TRF7970A_ST_IDLE_RX_BLOCKED)) { dev_err(trf->dev, "%s - Bogus state: %d\n", __func__, trf->state); + if (trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA || + trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA_CONT) + trf->ignore_timeout = + !cancel_delayed_work(>timeout_work); ret = -EIO; goto out_err; } -- Signed-off-by: Geoff Lansberry
[PATCH 3/3] nfc: trf7970a: Prevent repeated polling from crashing the kernel
From: Jaret CantuRepeated polling attempts cause a NULL dereference error to occur. This is because the state of the trf7970a is currently reading but another request has been made to send a command before it has finished. The solution is to properly kill the waiting reading (workqueue) before failing on the send. --- drivers/nfc/trf7970a.c | 4 1 file changed, 4 insertions(+) diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c index 8a88195..5916737 100644 --- a/drivers/nfc/trf7970a.c +++ b/drivers/nfc/trf7970a.c @@ -1496,6 +1496,10 @@ static int trf7970a_send_cmd(struct nfc_digital_dev *ddev, (trf->state != TRF7970A_ST_IDLE_RX_BLOCKED)) { dev_err(trf->dev, "%s - Bogus state: %d\n", __func__, trf->state); + if (trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA || + trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA_CONT) + trf->ignore_timeout = + !cancel_delayed_work(>timeout_work); ret = -EIO; goto out_err; } -- Signed-off-by: Geoff Lansberry
Re: [PATCH 3/3] nfc: trf7970a: Prevent repeated polling from crashing the kernel
On Thu, Dec 15, 2016 at 05:30:44PM -0500, Geoff Lansberry wrote: > From: Jaret Cantu> > Repeated polling attempts cause a NULL dereference error to occur. > This is because the curent state of the trf7970a is reading but > a request has been made to send a command. > > The solution is to properly kill the waiting reading (workqueue) > before failing on the send. Maybe its just me but I find this description a little hard to grok. Mind reworking it? The patch itself looks fine. Thanks, Mark --
[PATCH 3/3] nfc: trf7970a: Prevent repeated polling from crashing the kernel
From: Jaret CantuRepeated polling attempts cause a NULL dereference error to occur. This is because the curent state of the trf7970a is reading but a request has been made to send a command. The solution is to properly kill the waiting reading (workqueue) before failing on the send. --- drivers/nfc/trf7970a.c | 4 1 file changed, 4 insertions(+) diff --git a/drivers/nfc/trf7970a.c b/drivers/nfc/trf7970a.c index b4c37ab..f96a321 100644 --- a/drivers/nfc/trf7970a.c +++ b/drivers/nfc/trf7970a.c @@ -1493,6 +1493,10 @@ static int trf7970a_send_cmd(struct nfc_digital_dev *ddev, (trf->state != TRF7970A_ST_IDLE_RX_BLOCKED)) { dev_err(trf->dev, "%s - Bogus state: %d\n", __func__, trf->state); + if (trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA || + trf->state == TRF7970A_ST_WAIT_FOR_RX_DATA_CONT) + trf->ignore_timeout = + !cancel_delayed_work(>timeout_work); ret = -EIO; goto out_err; } -- Signed-off-by: Geoff Lansberry