diff options
| author | Jizhou Liao <Jizhou.Liao@nxp.com> | 2017-07-18 13:50:02 -0700 |
|---|---|---|
| committer | Andre Eisenbach <eisenbach@google.com> | 2017-07-20 22:17:49 +0000 |
| commit | a3c7a1f452eddc1962b3c921381ba1d57158deab (patch) | |
| tree | 86f4db267344b4d74cbb9fb6f1a3cec703947457 /halimpl | |
| parent | 75ec928cdd9e1e66c616578b8305be6b84dd602a (diff) | |
| download | android_hardware_broadcom_nfc-a3c7a1f452eddc1962b3c921381ba1d57158deab.tar.gz android_hardware_broadcom_nfc-a3c7a1f452eddc1962b3c921381ba1d57158deab.tar.bz2 android_hardware_broadcom_nfc-a3c7a1f452eddc1962b3c921381ba1d57158deab.zip | |
Fix NFC stack crash when firmware download failed
This is a freed memory issue. The buffer to read response
from NFCC which has linked to firmware task has been already freed.
Test: Compiles
Bug: 63679165
Change-Id: I5f68228c3eb41d3369af0c107c9e3b4003b91368
(cherry picked from commit 08e4a9a16b6cb585a455309fc5d025fdd9af2ed2)
Diffstat (limited to 'halimpl')
| -rw-r--r-- | halimpl/pn54x/hal/phNxpNciHal.c | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/halimpl/pn54x/hal/phNxpNciHal.c b/halimpl/pn54x/hal/phNxpNciHal.c index 57fbab4..7b4b22c 100644 --- a/halimpl/pn54x/hal/phNxpNciHal.c +++ b/halimpl/pn54x/hal/phNxpNciHal.c @@ -272,6 +272,8 @@ static void phNxpNciHal_kill_client_thread( ******************************************************************************/ static NFCSTATUS phNxpNciHal_fw_download(void) { NFCSTATUS status = NFCSTATUS_FAILED; + /*NCI_RESET_CMD*/ + static uint8_t cmd_reset_nci[] = {0x20, 0x00, 0x01, 0x00}; phNxpNciHal_get_clk_freq(); status = phTmlNfc_IoCtl(phTmlNfc_e_EnableDownloadMode); @@ -281,6 +283,12 @@ static NFCSTATUS phNxpNciHal_fw_download(void) { NXPLOG_NCIHAL_D("Calling Seq handler for FW Download \n"); status = phNxpNciHal_fw_download_seq(nxpprofile_ctrl.bClkSrcVal, nxpprofile_ctrl.bClkFreqVal); + if (status != NFCSTATUS_SUCCESS) { + /* Abort any pending read and write */ + phNxpNciHal_send_ext_cmd(sizeof(cmd_reset_nci), cmd_reset_nci); + phTmlNfc_ReadAbort(); + phTmlNfc_WriteAbort(); + } phDnldNfc_ReSetHwDevHandle(); } else { status = NFCSTATUS_FAILED; @@ -623,10 +631,7 @@ init_retry: if (status != NFCSTATUS_SUCCESS) { if (NFCSTATUS_SUCCESS != phNxpNciHal_fw_mw_ver_check()) { NXPLOG_NCIHAL_D("Chip Version Middleware Version mismatch!!!!"); - /* Abort any pending read and write */ - phNxpNciHal_send_ext_cmd(sizeof(cmd_reset_nci), cmd_reset_nci); - phTmlNfc_ReadAbort(); - phTmlNfc_WriteAbort(); + phOsalNfc_Timer_Cleanup(); phTmlNfc_Shutdown(); wConfigStatus = NFCSTATUS_FAILED; goto clean_and_return; @@ -1811,19 +1816,17 @@ NFCSTATUS phNxpNciHalRFConfigCmdRecSequence() { status = phNxpNciHal_fw_download(); if (status == NFCSTATUS_SUCCESS) { fw_download_success = 1; - status = phTmlNfc_Read( - nxpncihal_ctrl.p_cmd_data, NCI_MAX_DATA_LEN, - (pphTmlNfc_TransactCompletionCb_t)&phNxpNciHal_read_complete, NULL); - if (status != NFCSTATUS_PENDING) { - NXPLOG_NCIHAL_E("TML Read status error status = %x", status); - phTmlNfc_Shutdown(); - status = NFCSTATUS_FAILED; - break; - } - } else { + } + status = phTmlNfc_Read( + nxpncihal_ctrl.p_cmd_data, NCI_MAX_DATA_LEN, + (pphTmlNfc_TransactCompletionCb_t)&phNxpNciHal_read_complete, NULL); + if (status != NFCSTATUS_PENDING) { + NXPLOG_NCIHAL_E("TML Read status error status = %x", status); + phOsalNfc_Timer_Cleanup(); + phTmlNfc_Shutdown(); status = NFCSTATUS_FAILED; - break; } + break; } gRecFWDwnld = false; } while (recFWState--); |