<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/drivers/nfc, branch linux-6.0.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-6.0.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-6.0.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2022-12-31T12:26:37+00:00</updated>
<entry>
<title>nfc: pn533: Clear nfc_target before being used</title>
<updated>2022-12-31T12:26:37+00:00</updated>
<author>
<name>Minsuk Kang</name>
<email>linuxlovemin@yonsei.ac.kr</email>
</author>
<published>2022-12-14T01:51:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=755019e37815a66bb0a23893debbd3dd640ccbd3'/>
<id>urn:sha1:755019e37815a66bb0a23893debbd3dd640ccbd3</id>
<content type='text'>
[ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ]

Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target-&gt;sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.

Found by a modified version of syzkaller.

BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
 memcpy
 nla_put
 nfc_genl_dump_targets
 genl_lock_dumpit
 netlink_dump
 __netlink_dump_start
 genl_family_rcv_msg_dumpit
 genl_rcv_msg
 netlink_rcv_skb
 genl_rcv
 netlink_unicast
 netlink_sendmsg
 sock_sendmsg
 ____sys_sendmsg
 ___sys_sendmsg
 __sys_sendmsg
 do_syscall_64

Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
Signed-off-by: Minsuk Kang &lt;linuxlovemin@yonsei.ac.kr&gt;
Reviewed-by: Krzysztof Kozlowski &lt;krzysztof.kozlowski@linaro.org&gt;
Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION</title>
<updated>2022-12-02T16:43:09+00:00</updated>
<author>
<name>Martin Faltesek</name>
<email>mfaltesek@google.com</email>
</author>
<published>2022-11-22T00:42:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7f70bc140c8ec163203497d0c895d28e8db61bb2'/>
<id>urn:sha1:7f70bc140c8ec163203497d0c895d28e8db61bb2</id>
<content type='text'>
[ Upstream commit 0254f31a7df3bb3b90c2d9dd2d4052f7b95eb287 ]

The transaction buffer is allocated by using the size of the packet buf,
and subtracting two which seems intended to remove the two tags which are
not present in the target structure. This calculation leads to under
counting memory because of differences between the packet contents and the
target structure. The aid_len field is a u8 in the packet, but a u32 in
the structure, resulting in at least 3 bytes always being under counted.
Further, the aid data is a variable length field in the packet, but fixed
in the structure, so if this field is less than the max, the difference is
added to the under counting.

To fix, perform validation checks progressively to safely reach the
next field, to determine the size of both buffers and verify both tags.
Once all validation checks pass, allocate the buffer and copy the data.
This eliminates freeing memory on the error path, as validation checks are
moved ahead of memory allocation.

Reported-by: Denis Efremov &lt;denis.e.efremov@oracle.com&gt;
Reviewed-by: Guenter Roeck &lt;groeck@google.com&gt;
Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support")
Signed-off-by: Martin Faltesek &lt;mfaltesek@google.com&gt;
Reviewed-by: Krzysztof Kozlowski &lt;krzysztof.kozlowski@linaro.org&gt;
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>nfc: st-nci: fix memory leaks in EVT_TRANSACTION</title>
<updated>2022-12-02T16:43:08+00:00</updated>
<author>
<name>Martin Faltesek</name>
<email>mfaltesek@google.com</email>
</author>
<published>2022-11-22T00:42:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8d6a0e4a124b1ea4f83af4e0bad705c0f0670f58'/>
<id>urn:sha1:8d6a0e4a124b1ea4f83af4e0bad705c0f0670f58</id>
<content type='text'>
[ Upstream commit 440f2ae9c9f06e26f5dcea697a53717fc61a318c ]

Error path does not free previously allocated memory. Add devm_kfree() to
the failure path.

Reported-by: Denis Efremov &lt;denis.e.efremov@oracle.com&gt;
Reviewed-by: Guenter Roeck &lt;groeck@google.com&gt;
Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support")
Signed-off-by: Martin Faltesek &lt;mfaltesek@google.com&gt;
Reviewed-by: Krzysztof Kozlowski &lt;krzysztof.kozlowski@linaro.org&gt;
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION</title>
<updated>2022-12-02T16:43:08+00:00</updated>
<author>
<name>Martin Faltesek</name>
<email>mfaltesek@google.com</email>
</author>
<published>2022-11-22T00:42:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=708043455ac1b9986ff7412d0626c11c31707df6'/>
<id>urn:sha1:708043455ac1b9986ff7412d0626c11c31707df6</id>
<content type='text'>
[ Upstream commit c60c152230828825c06e62a8f1ce956d4b659266 ]

The first validation check for EVT_TRANSACTION has two different checks
tied together with logical AND. One is a check for minimum packet length,
and the other is for a valid aid_tag. If either condition is true (fails),
then an error should be triggered. The fix is to change &amp;&amp; to ||.

Reported-by: Denis Efremov &lt;denis.e.efremov@oracle.com&gt;
Reviewed-by: Guenter Roeck &lt;groeck@google.com&gt;
Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support")
Signed-off-by: Martin Faltesek &lt;mfaltesek@google.com&gt;
Reviewed-by: Krzysztof Kozlowski &lt;krzysztof.kozlowski@linaro.org&gt;
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()</title>
<updated>2022-11-10T17:17:17+00:00</updated>
<author>
<name>Shang XiaoJing</name>
<email>shangxiaojing@huawei.com</email>
</author>
<published>2022-10-27T14:03:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=92a1df9c6da20c02cf9872f8b025a66ddb307aeb'/>
<id>urn:sha1:92a1df9c6da20c02cf9872f8b025a66ddb307aeb</id>
<content type='text'>
[ Upstream commit 93d904a734a74c54d945a9884b4962977f1176cd ]

nfcmrvl_i2c_nci_send() will be called by nfcmrvl_nci_send(), and skb
should be freed in nfcmrvl_i2c_nci_send(). However, nfcmrvl_nci_send()
will only free skb when i2c_master_send() return &gt;=0, which means skb
will memleak when i2c_master_send() failed. Free skb no matter whether
i2c_master_send() succeeds.

Fixes: b5b3e23e4cac ("NFC: nfcmrvl: add i2c driver")
Signed-off-by: Shang XiaoJing &lt;shangxiaojing@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send()</title>
<updated>2022-11-10T17:17:17+00:00</updated>
<author>
<name>Shang XiaoJing</name>
<email>shangxiaojing@huawei.com</email>
</author>
<published>2022-10-27T14:03:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a53e9ef6f4b1a2fe62e71121cc9c9889cf8bf720'/>
<id>urn:sha1:a53e9ef6f4b1a2fe62e71121cc9c9889cf8bf720</id>
<content type='text'>
[ Upstream commit 3a146b7e3099dc7cf3114f627d9b79291e2d2203 ]

s3fwrn5_nci_send() will call s3fwrn5_i2c_write() or s3fwrn82_uart_write(),
and free the skb if write() failed. However, even if the write() run
succeeds, the skb will not be freed in write(). As the result, the skb
will memleak. s3fwrn5_nci_send() should also free the skb when write()
succeeds.

Fixes: c04c674fadeb ("nfc: s3fwrn5: Add driver for Samsung S3FWRN5 NFC Chip")
Signed-off-by: Shang XiaoJing &lt;shangxiaojing@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>nfc: nxp-nci: Fix potential memory leak in nxp_nci_send()</title>
<updated>2022-11-10T17:17:17+00:00</updated>
<author>
<name>Shang XiaoJing</name>
<email>shangxiaojing@huawei.com</email>
</author>
<published>2022-10-27T14:03:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3ecf0f4227029b2c42e036b10ff6e5d09e20821e'/>
<id>urn:sha1:3ecf0f4227029b2c42e036b10ff6e5d09e20821e</id>
<content type='text'>
[ Upstream commit 7bf1ed6aff0f70434bd0cdd45495e83f1dffb551 ]

nxp_nci_send() will call nxp_nci_i2c_write(), and only free skb when
nxp_nci_i2c_write() failed. However, even if the nxp_nci_i2c_write()
run succeeds, the skb will not be freed in nxp_nci_i2c_write(). As the
result, the skb will memleak. nxp_nci_send() should also free the skb
when nxp_nci_i2c_write() succeeds.

Fixes: dece45855a8b ("NFC: nxp-nci: Add support for NXP NCI chips")
Signed-off-by: Shang XiaoJing &lt;shangxiaojing@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>nfc: fdp: Fix potential memory leak in fdp_nci_send()</title>
<updated>2022-11-10T17:17:16+00:00</updated>
<author>
<name>Shang XiaoJing</name>
<email>shangxiaojing@huawei.com</email>
</author>
<published>2022-10-27T14:03:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1a7a898f8f7b56c0eaa2baf67a0c96235a30bc29'/>
<id>urn:sha1:1a7a898f8f7b56c0eaa2baf67a0c96235a30bc29</id>
<content type='text'>
[ Upstream commit 8e4aae6b8ca76afb1fb64dcb24be44ba814e7f8a ]

fdp_nci_send() will call fdp_nci_i2c_write that will not free skb in
the function. As a result, when fdp_nci_i2c_write() finished, the skb
will memleak. fdp_nci_send() should free skb after fdp_nci_i2c_write()
finished.

Fixes: a06347c04c13 ("NFC: Add Intel Fields Peak NFC solution driver")
Signed-off-by: Shang XiaoJing &lt;shangxiaojing@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>nfc: virtual_ncidev: Fix memory leak in virtual_nci_send()</title>
<updated>2022-11-03T15:00:29+00:00</updated>
<author>
<name>Shang XiaoJing</name>
<email>shangxiaojing@huawei.com</email>
</author>
<published>2022-10-20T03:05:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2c46a9a5f0b1c7341aa67667801079f3ff571678'/>
<id>urn:sha1:2c46a9a5f0b1c7341aa67667801079f3ff571678</id>
<content type='text'>
[ Upstream commit e840d8f4a1b323973052a1af5ad4edafcde8ae3d ]

skb should be free in virtual_nci_send(), otherwise kmemleak will report
memleak.

Steps for reproduction (simulated in qemu):
	cd tools/testing/selftests/nci
	make
	./nci_dev

BUG: memory leak
unreferenced object 0xffff888107588000 (size 208):
  comm "nci_dev", pid 206, jiffies 4294945376 (age 368.248s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;000000008d94c8fd&gt;] __alloc_skb+0x1da/0x290
    [&lt;00000000278bc7f8&gt;] nci_send_cmd+0xa3/0x350
    [&lt;0000000081256a22&gt;] nci_reset_req+0x6b/0xa0
    [&lt;000000009e721112&gt;] __nci_request+0x90/0x250
    [&lt;000000005d556e59&gt;] nci_dev_up+0x217/0x5b0
    [&lt;00000000e618ce62&gt;] nfc_dev_up+0x114/0x220
    [&lt;00000000981e226b&gt;] nfc_genl_dev_up+0x94/0xe0
    [&lt;000000009bb03517&gt;] genl_family_rcv_msg_doit.isra.14+0x228/0x2d0
    [&lt;00000000b7f8c101&gt;] genl_rcv_msg+0x35c/0x640
    [&lt;00000000c94075ff&gt;] netlink_rcv_skb+0x11e/0x350
    [&lt;00000000440cfb1e&gt;] genl_rcv+0x24/0x40
    [&lt;0000000062593b40&gt;] netlink_unicast+0x43f/0x640
    [&lt;000000001d0b13cc&gt;] netlink_sendmsg+0x73a/0xbf0
    [&lt;000000003272487f&gt;] __sys_sendto+0x324/0x370
    [&lt;00000000ef9f1747&gt;] __x64_sys_sendto+0xdd/0x1b0
    [&lt;000000001e437841&gt;] do_syscall_64+0x3f/0x90

Fixes: e624e6c3e777 ("nfc: Add a virtual nci device driver")
Signed-off-by: Shang XiaoJing &lt;shangxiaojing@huawei.com&gt;
Reviewed-by: Krzysztof Kozlowski &lt;krzysztof.kozlowski@linaro.org&gt;
Link: https://lore.kernel.org/r/20221020030505.15572-1-shangxiaojing@huawei.com
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
</entry>
<entry>
<title>nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout</title>
<updated>2022-08-22T13:51:30+00:00</updated>
<author>
<name>Duoming Zhou</name>
<email>duoming@zju.edu.cn</email>
</author>
<published>2022-08-18T09:06:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6'/>
<id>urn:sha1:f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6</id>
<content type='text'>
When the pn532 uart device is detaching, the pn532_uart_remove()
is called. But there are no functions in pn532_uart_remove() that
could delete the cmd_timeout timer, which will cause use-after-free
bugs. The process is shown below:

    (thread 1)                  |        (thread 2)
                                |  pn532_uart_send_frame
pn532_uart_remove               |    mod_timer(&amp;pn532-&gt;cmd_timeout,...)
  ...                           |    (wait a time)
  kfree(pn532) //FREE           |    pn532_cmd_timeout
                                |      pn532_uart_send_frame
                                |        pn532-&gt;... //USE

This patch adds del_timer_sync() in pn532_uart_remove() in order to
prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc()
is well synchronized, it sets nfc_dev-&gt;shutting_down to true and there
are no syscalls could restart the cmd_timeout timer.

Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
Signed-off-by: Duoming Zhou &lt;duoming@zju.edu.cn&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
</entry>
</feed>
