summaryrefslogtreecommitdiff
path: root/drivers/nfc/pn533
AgeCommit message (Collapse)AuthorFilesLines
2020-01-23NFC: pn533: fix bulk-message timeoutJohan Hovold1-1/+1
commit a112adafcb47760feff959ee1ecd10b74d2c5467 upstream. The driver was doing a synchronous uninterruptible bulk-transfer without using a timeout. This could lead to the driver hanging on probe due to a malfunctioning (or malicious) device until the device is physically disconnected. While sleeping in probe the driver prevents other devices connected to the same hub from being added to (or removed from) the bus. An arbitrary limit of five seconds should be more than enough. Fixes: dbafc28955fa ("NFC: pn533: don't send USB data off of the stack") Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-11-06NFC: pn533: fix use-after-free and memleaksJohan Hovold1-1/+8
commit 6af3aa57a0984e061f61308fe181a9a12359fecc upstream. The driver would fail to deregister and its class device and free related resources on late probe errors. Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com Fixes: 32ecc75ded72 ("NFC: pn533: change order operations in dev registation") Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-08-24NFC: pn533: Fix wrong GFP flag usageHans de Goede1-2/+2
[ Upstream commit ecc443c03fb14abfb8a6af5e3b2d43b5257e60f2 ] pn533_recv_response() is an urb completion handler, so it must use GFP_ATOMIC. pn533_usb_send_frame() OTOH runs from a regular sleeping context, so the pn533_submit_urb_for_response() there (and only there) can use the regular GFP_KERNEL flags. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1514134 Fixes: 9815c7cf22da ("NFC: pn533: Separate physical layer from ...") Cc: Michael Thalmeier <michael.thalmeier@hale.at> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-06-16NFC: pn533: don't send USB data off of the stackGreg Kroah-Hartman1-12/+30
commit dbafc28955fa6779dc23d1607a0fee5e509a278b upstream. It's amazing that this driver ever worked, but now that x86 doesn't allow USB data to be sent off of the stack, it really does not work at all. Fix this up by properly allocating the data for the small "commands" that get sent to the device off of the stack. We do this for one command by having a whole urb just for ack messages, as they can be submitted in interrupt context, so we can not use usb_bulk_msg(). But the poweron command can sleep (and does), so use usb_bulk_msg() for that transfer. Reported-by: Carlos Manuel Santos <cmmpsantos@gmail.com> Cc: Samuel Ortiz <sameo@linux.intel.com> Cc: Stephen Hemminger <stephen@networkplumber.org> Cc: stable <stable@vger.kernel.org> Reviewed-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-06-20net: manual clean code which call skb_put_[data:zero]yuan linyu1-2/+2
Signed-off-by: yuan linyu <Linyu.Yuan@alcatel-sbell.com.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16networking: add and use skb_put_u8()Johannes Berg1-16/+16
Joe and Bjørn suggested that it'd be nicer to not have the cast in the fairly common case of doing *(u8 *)skb_put(skb, 1) = c; Add skb_put_u8() for this case, and use it across the code, using the following spatch: @@ expression SKB, C, S; typedef u8; identifier fn = {skb_put}; fresh identifier fn2 = fn ## "_u8"; @@ - *(u8 *)fn(SKB, S) = C; + fn2(SKB, C); Note that due to the "S", the spatch isn't perfect, it should have checked that S is 1, but there's also places that use a sizeof expression like sizeof(var) or sizeof(u8) etc. Turns out that nobody ever did something like *(u8 *)skb_put(skb, 2) = c; which would be wrong anyway since the second byte wouldn't be initialized. Suggested-by: Joe Perches <joe@perches.com> Suggested-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16networking: make skb_push & __skb_push return void pointersJohannes Berg1-4/+4
It seems like a historic accident that these return unsigned char *, and in many places that means casts are required, more often than not. Make these functions return void * and remove all the casts across the tree, adding a (u8 *) cast only where the unsigned char pointer was used directly, all done with the following spatch: @@ expression SKB, LEN; typedef u8; identifier fn = { skb_push, __skb_push, skb_push_rcsum }; @@ - *(fn(SKB, LEN)) + *(u8 *)fn(SKB, LEN) @@ expression E, SKB, LEN; identifier fn = { skb_push, __skb_push, skb_push_rcsum }; type T; @@ - E = ((T *)(fn(SKB, LEN))) + E = fn(SKB, LEN) @@ expression SKB, LEN; identifier fn = { skb_push, __skb_push, skb_push_rcsum }; @@ - fn(SKB, LEN)[0] + *(u8 *)fn(SKB, LEN) Note that the last part there converts from push(...)[0] to the more idiomatic *(u8 *)push(...). Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16networking: make skb_put & friends return void pointersJohannes Berg1-16/+16
It seems like a historic accident that these return unsigned char *, and in many places that means casts are required, more often than not. Make these functions (skb_put, __skb_put and pskb_put) return void * and remove all the casts across the tree, adding a (u8 *) cast only where the unsigned char pointer was used directly, all done with the following spatch: @@ expression SKB, LEN; typedef u8; identifier fn = { skb_put, __skb_put }; @@ - *(fn(SKB, LEN)) + *(u8 *)fn(SKB, LEN) @@ expression E, SKB, LEN; identifier fn = { skb_put, __skb_put }; type T; @@ - E = ((T *)(fn(SKB, LEN))) + E = fn(SKB, LEN) which actually doesn't cover pskb_put since there are only three users overall. A handful of stragglers were converted manually, notably a macro in drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many instances in net/bluetooth/hci_sock.c. In the former file, I also had to fix one whitespace problem spatch introduced. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16networking: introduce and use skb_put_data()Johannes Berg2-18/+14
A common pattern with skb_put() is to just want to memcpy() some data into the new space, introduce skb_put_data() for this. An spatch similar to the one for skb_put_zero() converts many of the places using it: @@ identifier p, p2; expression len, skb, data; type t, t2; @@ ( -p = skb_put(skb, len); +p = skb_put_data(skb, data, len); | -p = (t)skb_put(skb, len); +p = skb_put_data(skb, data, len); ) ( p2 = (t2)p; -memcpy(p2, data, len); | -memcpy(p, data, len); ) @@ type t, t2; identifier p, p2; expression skb, data; @@ t *p; ... ( -p = skb_put(skb, sizeof(t)); +p = skb_put_data(skb, data, sizeof(t)); | -p = (t *)skb_put(skb, sizeof(t)); +p = skb_put_data(skb, data, sizeof(t)); ) ( p2 = (t2)p; -memcpy(p2, data, sizeof(*p)); | -memcpy(p, data, sizeof(*p)); ) @@ expression skb, len, data; @@ -memcpy(skb_put(skb, len), data, len); +skb_put_data(skb, data, len); (again, manually post-processed to retain some comments) Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-13networking: use skb_put_zero()Johannes Berg1-2/+1
Use the recently introduced helper to replace the pattern of skb_put() && memset(), this transformation was done with the following spatch: @@ identifier p; expression len; expression skb; @@ -p = skb_put(skb, len); -memset(p, 0, len); +p = skb_put_zero(skb, len); Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-17NFC: pn533: use constant off-stack buffer for sending acksMichał Mirosław2-3/+3
fix for WARN: usb 3-2.4.1: NFC: Exchanging data failed (error 0x13) llcp: nfc_llcp_recv: err -5 llcp: nfc_llcp_symm_timer: SYMM timeout ------------[ cut here ]------------ WARNING: CPU: 1 PID: 26397 at .../drivers/usb/core/hcd.c:1584 usb_hcd_map_urb_for_dma+0x370/0x550 transfer buffer not dma capable [...] Workqueue: events nfc_llcp_timeout_work [nfc] Call Trace: ? dump_stack+0x46/0x5a ? __warn+0xb9/0xe0 ? warn_slowpath_fmt+0x5a/0x80 ? usb_hcd_map_urb_for_dma+0x370/0x550 ? usb_hcd_submit_urb+0x2fb/0xa60 ? dequeue_entity+0x3f2/0xc30 ? pn533_usb_send_ack+0x5d/0x80 [pn533_usb] ? pn533_usb_abort_cmd+0x13/0x20 [pn533_usb] ? pn533_dep_link_down+0x32/0x70 [pn533] ? nfc_dep_link_down+0x87/0xd0 [nfc] [...] usb 3-2.4.1: NFC: Exchanging data failed (error 0x13) llcp: nfc_llcp_recv: err -5 llcp: nfc_llcp_symm_timer: SYMM timeout Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-02NFC: pn533: change order operations in dev registationAndrey Rusalin4-27/+48
Sometimes during probing and registration of pn533_i2c NULL pointer dereference happens. Reproduced in cycle of inserting and removing pn533_i2c and pn533 modules. Backtrace: [<8004205c>] (__queue_work) from [<80042324>] (queue_work_on+0x50/0x5c) r10:acdc7c80 r9:8006b330 r8:ac0dfb40 r7:ac50c600 r6:00000004 r5:acbbee40 r4:600f0113 [<800422d4>] (queue_work_on) from [<7f7d5b6c>] (pn533_recv_frame+0x158/0x1fc [pn533]) r7:ffffff87 r6:00000000 r5:acbbee40 r4:acbbee00 [<7f7d5a14>] (pn533_recv_frame [pn533]) from [<7f7df4b8>] (pn533_i2c_irq_thread_fn+0x184/0x) r6:acb2a000 r5:00000000 r4:acdc7b90 [<7f7df334>] (pn533_i2c_irq_thread_fn [pn533_i2c]) from [<8006b354>] (irq_thread_fn+0x24/0x) r7:00000000 r6:accde000 r5:ac0dfb40 r4:acdc7c80 ... Seems there is some race condition due registration of irq handler until all data stuctures that could be needed are ready. So I re-ordered some ops. After this, problem has gone. Changes in USB part was not tested, but it should not break anything. Signed-off-by: Andrey Rusalin <arusalin@dev.rtsoft.ru> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-02NFC: pn533: improve cmd queue handlingAndrey Rusalin1-13/+27
Make sure cmd is set before a frame is passed to the transport layer for sending. In addition pn533_send_async_complete checks if cmd is set before accessing its members. Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at> Rework a little bit changes in pn532_send_async_complete. Signed-off-by: Andrey Rusalin <arusalin@dev.rtsoft.ru> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-04-02NFC: pn533: change order of free_irq and dev unregistrationAndrey Rusalin1-2/+2
Change order of free_irq and dev unregistration. It fixes situation when device already unregistered and an interrupt happens and nobody can handle it. Signed-off-by: Andrey Rusalin <arusalin@dev.rtsoft.ru> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2017-02-28scripts/spelling.txt: add "omited" pattern and fix typo instancesMasahiro Yamada1-1/+1
Fix typos and add the following to the scripts/spelling.txt: omited||omitted omiting||omitting Link: http://lkml.kernel.org/r/1481573103-11329-26-git-send-email-yamada.masahiro@socionext.com Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-07-04NFC: pn533: double free on error in probe()Dan Carpenter1-6/+3
We can't pass devm_ allocated pointers to kfree() because they will be freed again after the drive is unloaded. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-05-10NFC: pn533: handle interrupted commands in pn533_recv_frameMichael Thalmeier1-0/+8
When pn533_recv_frame is called from within abort_command context the current dev->cmd is not guaranteed to be set. Additionally on receiving an error status we can omit frame checking and simply schedule the workqueue. Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-05-10NFC: pn533: reset poll modulation list before calling targets_foundMichael Thalmeier1-3/+3
We need to reset the poll modulation list before calling nfc_targets_found because otherwise userspace could run before the modulation list is cleared and then get a "Cannot activate target while polling" error upon calling activate_target. Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-05-10NFC: pn533: i2c: do not call pn533_recv_frame with aborted commandsMichael Thalmeier1-4/+11
When a command gets aborted the pn533 core does not need any RX frames that may be received until a new frame is sent. Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-05-10NFC: pn533: fix order of initializationMichael Thalmeier4-5/+8
Correctly call nfc_set_parent_dev before nfc_register_device. Otherwise the driver will OOPS when being removed. Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-05-10NFC: pn533: i2c: free irq on driver removeMichael Thalmeier1-0/+2
The requested irq needs to be freed when removing the driver, otherwise a following driver load fails to request the irq. Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-04-10NFC: pn533: add I2C phy driverMichael Thalmeier5-0/+317
This adds the I2C phy interface for the pn533 driver. This way the driver can be used to interact with I2C connected pn532 devices. Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2016-04-10NFC: pn533: Separate physical layer from the core implementationMichael Thalmeier5-0/+3500
The driver now has all core stuff isolated in one file, and all the hardware link specifics in another. Writing a pn533 driver on top of another hardware link is now just a matter of adding a new file for that new hardware specifics. The first user of this separation will be the i2c based pn532 driver that reuses pn533 core implementation on top of an i2c layer. Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>