[PATCH] NFC: microread/pn544: Fix possible null pointer deference error

From: Young Xiao <92siuyang@gmail.com>
To: sameo@linux.intel.com, linux-wireless@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Young Xiao <92siuyang@gmail.com>
Subject: [PATCH] NFC: microread/pn544: Fix possible null pointer deference error
Date: Wed, 29 May 2019 11:43:06 +0800	[thread overview]
Message-ID: <1559101386-26560-1-git-send-email-92siuyang@gmail.com> (raw)

When there is an access phy-hdev in pn544_hci_i2c_irq_thread_fn or
microread_i2c_irq_thread_fn, it is not initialized in pn544_hci_i2c_probe
or microread_i2c_probe.

Therefore, we change the order of calling function xxx_probe and
request_threaded_irq, and add guard of phy->hdev in
xxx_i2c_irq_thread_fn function.

Signed-off-by: Young Xiao <92siuyang@gmail.com>
---
 drivers/nfc/microread/i2c.c | 19 +++++++------------
 drivers/nfc/pn544/i2c.c     | 16 ++++++++--------
 2 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/drivers/nfc/microread/i2c.c b/drivers/nfc/microread/i2c.c
index 1806d20..80fc6d5 100644
--- a/drivers/nfc/microread/i2c.c
+++ b/drivers/nfc/microread/i2c.c
@@ -212,7 +212,7 @@ static irqreturn_t microread_i2c_irq_thread_fn(int irq, void *phy_id)
 	struct sk_buff *skb = NULL;
 	int r;
 
-	if (!phy || irq != phy->i2c_dev->irq) {
+	if (!phy || !phy->hdev || irq != phy->i2c_dev->irq) {
 		WARN_ON_ONCE(1);
 		return IRQ_NONE;
 	}
@@ -257,6 +257,12 @@ static int microread_i2c_probe(struct i2c_client *client,
 
 	i2c_set_clientdata(client, phy);
 	phy->i2c_dev = client;
+	r = microread_probe(phy, &i2c_phy_ops, LLC_SHDLC_NAME,
+			    MICROREAD_I2C_FRAME_HEADROOM,
+			    MICROREAD_I2C_FRAME_TAILROOM,
+			    MICROREAD_I2C_LLC_MAX_PAYLOAD, &phy->hdev);
+	if (r < 0)
+		return r;
 
 	r = request_threaded_irq(client->irq, NULL, microread_i2c_irq_thread_fn,
 				 IRQF_TRIGGER_RISING | IRQF_ONESHOT,
@@ -266,21 +272,10 @@ static int microread_i2c_probe(struct i2c_client *client,
 		return r;
 	}
 
-	r = microread_probe(phy, &i2c_phy_ops, LLC_SHDLC_NAME,
-			    MICROREAD_I2C_FRAME_HEADROOM,
-			    MICROREAD_I2C_FRAME_TAILROOM,
-			    MICROREAD_I2C_LLC_MAX_PAYLOAD, &phy->hdev);
-	if (r < 0)
-		goto err_irq;
 
 	nfc_info(&client->dev, "Probed\n");
 
 	return 0;
-
-err_irq:
-	free_irq(client->irq, phy);
-
-	return r;
 }
 
 static int microread_i2c_remove(struct i2c_client *client)
diff --git a/drivers/nfc/pn544/i2c.c b/drivers/nfc/pn544/i2c.c
index d0207f8..c9694c8 100644
--- a/drivers/nfc/pn544/i2c.c
+++ b/drivers/nfc/pn544/i2c.c
@@ -496,7 +496,7 @@ static irqreturn_t pn544_hci_i2c_irq_thread_fn(int irq, void *phy_id)
 	struct sk_buff *skb = NULL;
 	int r;
 
-	if (!phy || irq != phy->i2c_dev->irq) {
+	if (!phy || !phy->hdev || irq != phy->i2c_dev->irq) {
 		WARN_ON_ONCE(1);
 		return IRQ_NONE;
 	}
@@ -924,6 +924,13 @@ static int pn544_hci_i2c_probe(struct i2c_client *client,
 
 	pn544_hci_i2c_platform_init(phy);
 
+	r = pn544_hci_probe(phy, &i2c_phy_ops, LLC_SHDLC_NAME,
+			    PN544_I2C_FRAME_HEADROOM, PN544_I2C_FRAME_TAILROOM,
+			    PN544_HCI_I2C_LLC_MAX_PAYLOAD,
+			    pn544_hci_i2c_fw_download, &phy->hdev);
+	if (r < 0)
+		return r;
+
 	r = devm_request_threaded_irq(&client->dev, client->irq, NULL,
 				      pn544_hci_i2c_irq_thread_fn,
 				      IRQF_TRIGGER_RISING | IRQF_ONESHOT,
@@ -933,13 +940,6 @@ static int pn544_hci_i2c_probe(struct i2c_client *client,
 		return r;
 	}
 
-	r = pn544_hci_probe(phy, &i2c_phy_ops, LLC_SHDLC_NAME,
-			    PN544_I2C_FRAME_HEADROOM, PN544_I2C_FRAME_TAILROOM,
-			    PN544_HCI_I2C_LLC_MAX_PAYLOAD,
-			    pn544_hci_i2c_fw_download, &phy->hdev);
-	if (r < 0)
-		return r;
-
 	return 0;
 }
 
-- 
2.7.4

