[PATCH 1/2] nfc: st95hf: drop nfcdev_free

[PATCH 1/2] nfc: st95hf: drop nfcdev_free

[Daniel Mack]

This flag is unneccesary. We can just nullify `ddev' instead after we freed
it.

Signed-off-by: Daniel Mack <daniel@zonque.org>
---
 drivers/nfc/st95hf/core.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c
index a50a95cfcfd8..ef91ca8b53a4 100644
--- a/drivers/nfc/st95hf/core.c
+++ b/drivers/nfc/st95hf/core.c
@@ -220,7 +220,6 @@ struct st95_digital_cmd_complete_arg {
  *	from threaded ISR. Usage of this mutex avoids any race between
  *	deletion of the object from st95hf_remove() and its access from
  *	the threaded ISR.
- * @nfcdev_free: flag to have the state of nfc device object.
  *	[alive | died]
  * @current_protocol: current nfc protocol.
  * @current_rf_tech: current rf technology.
@@ -237,7 +236,6 @@ struct st95hf_context {
 	unsigned char sendrcv_trflag;
 	struct semaphore exchange_lock;
 	struct mutex rm_lock;
-	bool nfcdev_free;
 	u8 current_protocol;
 	u8 current_rf_tech;
 	int fwi;
@@ -822,8 +820,8 @@ static irqreturn_t st95hf_irq_thread_handler(int irq, void  *st95hfcontext)
 		goto end;
 	}
 
-	/* if stcontext->nfcdev_free is true, it means remove already ran */
-	if (stcontext->nfcdev_free) {
+	/* if stcontext->ddev is %NULL, it means remove already ran */
+	if (!stcontext->ddev) {
 		result = -ENODEV;
 		goto end;
 	}
@@ -1222,7 +1220,7 @@ static int st95hf_remove(struct spi_device *nfc_spi_dev)
 
 	nfc_digital_unregister_device(stcontext->ddev);
 	nfc_digital_free_device(stcontext->ddev);
-	stcontext->nfcdev_free = true;
+	stcontext->ddev = NULL;
 
 	mutex_unlock(&stcontext->rm_lock);
 
-- 
2.17.1

[PATCH 2/2] nfc: st95hf: drop another illegal kfree_skb()

[Daniel Mack]

In the error path of the IRQ handler, don't free the skb in flight. The
callback in the digital core will do that for us, so this is another
double-free that leads to memory corruptions.

The assignment of 'wtx' doesn't make sense as the variable is not read
after it is written. Drop it.

Signed-off-by: Daniel Mack <daniel@zonque.org>
---
 drivers/nfc/st95hf/core.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c
index ef91ca8b53a4..e651e1aae5a3 100644
--- a/drivers/nfc/st95hf/core.c
+++ b/drivers/nfc/st95hf/core.c
@@ -868,8 +868,6 @@ static irqreturn_t st95hf_irq_thread_handler(int irq, void  *st95hfcontext)
 	return IRQ_HANDLED;
 
 end:
-	kfree_skb(skb_resp);
-	wtx = false;
 	cb_arg->rats = false;
 	skb_resp = ERR_PTR(result);
 	/* call of callback with error */
-- 
2.17.1

Re: [PATCH 2/2] nfc: st95hf: drop another illegal kfree_skb()

[Daniel Mack]

Hi,

I'll resend the two patches in this series as part of a bigger series 
soon, please ignore them for now.


Thanks,
Daniel



On Friday, June 29, 2018 02:47 PM, Daniel Mack wrote:
> In the error path of the IRQ handler, don't free the skb in flight. The
> callback in the digital core will do that for us, so this is another
> double-free that leads to memory corruptions.
> 
> The assignment of 'wtx' doesn't make sense as the variable is not read
> after it is written. Drop it.
> 
> Signed-off-by: Daniel Mack <daniel@zonque.org>
> ---
>   drivers/nfc/st95hf/core.c | 2 --
>   1 file changed, 2 deletions(-)
> 
> diff --git a/drivers/nfc/st95hf/core.c b/drivers/nfc/st95hf/core.c
> index ef91ca8b53a4..e651e1aae5a3 100644
> --- a/drivers/nfc/st95hf/core.c
> +++ b/drivers/nfc/st95hf/core.c
> @@ -868,8 +868,6 @@ static irqreturn_t st95hf_irq_thread_handler(int irq, void  *st95hfcontext)
>   	return IRQ_HANDLED;
>   
>   end:
> -	kfree_skb(skb_resp);
> -	wtx = false;
>   	cb_arg->rats = false;
>   	skb_resp = ERR_PTR(result);
>   	/* call of callback with error */
>