#
f80cfe2f |
|
08-Mar-2022 |
Pavel Skripkin <paskripkin@gmail.com> |
NFC: port100: fix use-after-free in port100_send_complete Syzbot reported UAF in port100_send_complete(). The root case is in missing usb_kill_urb() calls on error handling path of ->probe function. port100_send_complete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free Fail log: BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 ... Allocated by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 alloc_dr drivers/base/devres.c:116 [inline] devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 devm_kzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 Freed by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 release_nodes+0x112/0x1a0 drivers/base/devres.c:501 devres_release_all+0x114/0x190 drivers/base/devres.c:530 really_probe+0x626/0xcc0 drivers/base/dd.c:670 Reported-and-tested-by: syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation") Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Link: https://lore.kernel.org/r/20220308185007.6987-1-paskripkin@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
08fcdfa6 |
|
07-Nov-2021 |
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> |
nfc: port100: lower verbosity of cancelled URB messages It is not an error to receive an URB with -ENOENT because it can come from regular user operations, e.g. pressing CTRL+C when running nfctool from neard. Make it a debugging message, not an error. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
2195f206 |
|
25-Oct-2021 |
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> |
nfc: port100: fix using -ERRNO as command type mask During probing, the driver tries to get a list (mask) of supported command types in port100_get_command_type_mask() function. The value is u64 and 0 is treated as invalid mask (no commands supported). The function however returns also -ERRNO as u64 which will be interpret as valid command mask. Return 0 on every error case of port100_get_command_type_mask(), so the probing will stop. Cc: <stable@vger.kernel.org> Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
9a4af01c |
|
28-Jul-2021 |
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> |
nfc: port100: constify several pointers Several functions do not modify pointed data so arguments and local variables can be const for correctness and safety. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
7186aac9 |
|
24-Jul-2021 |
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> |
nfc: constify nfc_digital_ops Neither the core nor the drivers modify the passed pointer to struct nfc_digital_ops, so make it a pointer to const for correctness and safety. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
c65e7025 |
|
23-Jul-2021 |
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> |
nfc: port100: constify protocol list array File-scope "port100_protocol" array is read-only and passed as pointer to const, so it can be made a const to increase code safety. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
a548bee9 |
|
28-May-2021 |
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> |
nfc: port100: correct kerneldoc for structure The port100_in_rf_setting structure does not contain valid kerneldoc docummentation, unlike the port100_tg_rf_setting structure. Correct the kerneldoc to fix W=1 warnings: warning: This comment starts with '/**', but isn't a kernel-doc comment. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Link: https://lore.kernel.org/r/20210528124200.79655-3-krzysztof.kozlowski@canonical.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
718eae27 |
|
09-Dec-2019 |
Mao Wenan <maowenan@huawei.com> |
NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu(). Convert cpu_to_le16(le16_to_cpu(frame->datalen) + len) to use le16_add_cpu(), which is more concise and does the same thing. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Mao Wenan <maowenan@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
5f9f0b11 |
|
21-Nov-2019 |
Oliver Neukum <oneukum@suse.com> |
nfc: port100: handle command failure cleanly If starting the transfer of a command suceeds but the transfer for the reply fails, it is not enough to initiate killing the transfer for the command may still be running. You need to wait for the killing to finish before you can reuse URB and buffer. Reported-and-tested-by: syzbot+711468aa5c3a1eabf863@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum <oneukum@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
2025cf9e |
|
29-May-2019 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms and conditions of the gnu general public license version 2 as published by the free software foundation this program is distributed in the hope it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 263 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Alexios Zavras <alexios.zavras@intel.com> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190529141901.208660670@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
634fef61 |
|
16-Jun-2017 |
Johannes Berg <johannes.berg@intel.com> |
networking: add and use skb_put_u8() Joe and Bjørn suggested that it'd be nicer to not have the cast in the fairly common case of doing *(u8 *)skb_put(skb, 1) = c; Add skb_put_u8() for this case, and use it across the code, using the following spatch: @@ expression SKB, C, S; typedef u8; identifier fn = {skb_put}; fresh identifier fn2 = fn ## "_u8"; @@ - *(u8 *)fn(SKB, S) = C; + fn2(SKB, C); Note that due to the "S", the spatch isn't perfect, it should have checked that S is 1, but there's also places that use a sizeof expression like sizeof(var) or sizeof(u8) etc. Turns out that nobody ever did something like *(u8 *)skb_put(skb, 2) = c; which would be wrong anyway since the second byte wouldn't be initialized. Suggested-by: Joe Perches <joe@perches.com> Suggested-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
4df864c1 |
|
16-Jun-2017 |
Johannes Berg <johannes.berg@intel.com> |
networking: make skb_put & friends return void pointers It seems like a historic accident that these return unsigned char *, and in many places that means casts are required, more often than not. Make these functions (skb_put, __skb_put and pskb_put) return void * and remove all the casts across the tree, adding a (u8 *) cast only where the unsigned char pointer was used directly, all done with the following spatch: @@ expression SKB, LEN; typedef u8; identifier fn = { skb_put, __skb_put }; @@ - *(fn(SKB, LEN)) + *(u8 *)fn(SKB, LEN) @@ expression E, SKB, LEN; identifier fn = { skb_put, __skb_put }; type T; @@ - E = ((T *)(fn(SKB, LEN))) + E = fn(SKB, LEN) which actually doesn't cover pskb_put since there are only three users overall. A handful of stragglers were converted manually, notably a macro in drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many instances in net/bluetooth/hci_sock.c. In the former file, I also had to fix one whitespace problem spatch introduced. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
59ae1d12 |
|
16-Jun-2017 |
Johannes Berg <johannes.berg@intel.com> |
networking: introduce and use skb_put_data() A common pattern with skb_put() is to just want to memcpy() some data into the new space, introduce skb_put_data() for this. An spatch similar to the one for skb_put_zero() converts many of the places using it: @@ identifier p, p2; expression len, skb, data; type t, t2; @@ ( -p = skb_put(skb, len); +p = skb_put_data(skb, data, len); | -p = (t)skb_put(skb, len); +p = skb_put_data(skb, data, len); ) ( p2 = (t2)p; -memcpy(p2, data, len); | -memcpy(p, data, len); ) @@ type t, t2; identifier p, p2; expression skb, data; @@ t *p; ... ( -p = skb_put(skb, sizeof(t)); +p = skb_put_data(skb, data, sizeof(t)); | -p = (t *)skb_put(skb, sizeof(t)); +p = skb_put_data(skb, data, sizeof(t)); ) ( p2 = (t2)p; -memcpy(p2, data, sizeof(*p)); | -memcpy(p, data, sizeof(*p)); ) @@ expression skb, len, data; @@ -memcpy(skb_put(skb, len), data, len); +skb_put_data(skb, data, len); (again, manually post-processed to retain some comments) Reviewed-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
24971281 |
|
03-Feb-2017 |
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> |
nfc: Fix hangup of RC-S380* in port100_send_ack() If port100_send_ack() was called twice or more, it has race to hangup. port100_send_ack() port100_send_ack() init_completion() [...] dev->cmd_cancel = true /* this removes previous from completion */ init_completion() [...] dev->cmd_cancel = true wait_for_completion() /* never be waked up */ wait_for_completion() Like above race, this code is not assuming port100_send_ack() is called twice or more. To fix, this checks dev->cmd_cancel to know if prior cancel is in-flight or not. And never be remove prior task from completion by using reinit_completion(), so this guarantees to be waked up properly soon or later. Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
0ada0768 |
|
03-Feb-2017 |
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> |
nfc: Fix RC-S380* needs zero-length packet If sent packet size is wMaxPacketSize boundary, this device doesn't answer. To fix this, we have to send zero-length packet in usb spec. Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
9728ee92 |
|
03-Feb-2017 |
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> |
nfc: Add support RC-S380P to port100 Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
9f0c4542 |
|
16-Jun-2016 |
Thierry Escande <thierry.escande@collabora.com> |
NFC: port100: Abort current command before switching RF off If a command is still being processed by the device, the switch RF off command will be rejected. With this patch, the port100 driver calls port100_abort_cmd() before sending the switch RF off command. Signed-off-by: Thierry Escande <thierry.escande@collabora.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
a52bd7d2 |
|
16-Jun-2016 |
Thierry Escande <thierry.escande@collabora.com> |
NFC: port100: Make port100_abort_cmd() synchronous This patch makes the abort_cmd function synchronous. This allows the caller to immediately send a new command after abort_cmd() returns. Signed-off-by: Thierry Escande <thierry.escande@collabora.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
b74584c1 |
|
16-Jun-2016 |
Thierry Escande <thierry.escande@collabora.com> |
NFC: port100: Fix the command cancellation process The USB out_urb used to send commands to the device can be submitted through the standard command processing queue coming from the Digital Protocol layer but it can also be submitted from port100_abort_cmd(). To not submit the URB while already active, a mutex is now used to protect it and a cmd_cancel flag is used to not send command while canceling the previous one. Signed-off-by: Thierry Escande <thierry.escande@collabora.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
e3e02588 |
|
16-Jun-2016 |
Thierry Escande <thierry.escande@collabora.com> |
NFC: port100: Don't send a new command if one is still pending This patch ensures that a command is not still in process before sending a new one to the device. This can happen when neard is in constant polling mode: the configure_hw command can be sent when neard restarts polling after a LLCP SYMM timeout but before the device has returned in timeout from the last DEP frame sent. Signed-off-by: Thierry Escande <thierry.escande@collabora.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
a81ba50a |
|
07-Jun-2016 |
Thierry Escande <thierry.escande@collabora.com> |
NFC: port100: Explicitly set NFC-F framing for NFC-DEP When setting the driver framing as NFC_DIGITAL_FRAMING_NFCF_NFC_DEP it used to be already configured as NFC_DIGITAL_FRAMING_NFCF which is the same. So this entry was empty in the in_protocols table. Now that the digital stack can handle PLS requests, it can be changed on the fly from NFC_DIGITAL_FRAMING_NFCA_NFC_DEP. This patch explicitly defines the framing configuration values for NFC_DIGITAL_FRAMING_NFCF_NFC_DEP. Signed-off-by: Thierry Escande <thierry.escande@collabora.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
3590ebc0 |
|
07-Apr-2015 |
Joe Perches <joe@perches.com> |
NFC: logging neatening Add missing terminating newlines to nfc_info and nfc_err to avoid possible interleaving from other messages. Miscellanea: o typo fix of "unknonwn" in message o remove unnecessary OOM messages as there's a generic dump_stack() o realign arguments Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
09592ccf |
|
11-Apr-2014 |
Thierry Escande <thierry.escande@linux.intel.com> |
NFC: port100: Add support for type 4B tag This patch adds support for ISO-DEP protocol over NFC-B rf technology by adding NFC_PROTO_ISO14443_B to the supported protocols and an entry for framing configuration. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
4aa7ed02 |
|
14-Feb-2014 |
Axel Lin <axel.lin@ingics.com> |
NFC: port100: Convert to use USB_DEVICE macro Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
2a26f9a2 |
|
26-Jan-2014 |
Thierry Escande <thierry.escande@linux.intel.com> |
NFC: port100: Add support for type 4A tag platform This adds support for ISO-DEP protocol over NFC-A rf technology. The port100 already supports NFC-A and ATS request and response for type 4A tags are handled at digital level. This patch adds NFC_PROTO_ISO14443 to the supported protocols and an entry for framing configuration which is the same as NFC-A standard frame with CRC handling. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
d3815ea9 |
|
26-Jan-2014 |
Thierry Escande <thierry.escande@linux.intel.com> |
NFC: port100: Fix possible buffer overflow The arrays for protocols and rf techs must define a number of entries corresponding to their maximum possible index values. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
c36aeba8 |
|
04-Jan-2014 |
Alexey Khoroshilov <khoroshilov@ispras.ru> |
NFC: port100: Fix device leak port100_probe() calls usb_get_dev(), but there is no usb_put_dev() in port100_disconnect(). The patch adds one. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
7227c021 |
|
03-Oct-2013 |
Thierry Escande <thierry.escande@linux.intel.com> |
NFC: port100: Add target mode support This implements the target NFC digital operations tg_configure_hw(), tg_listen(), tg_listen_mdaa(), and tg_send_cmd(). The target mode supports NFC-A technology at 106kbits/s and NFC-F technologies at 212 and 424kbits/s. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Cc: Stephen Tiedemann <stephen.tiedemann@gmail.com> Tested-by: Cho, Yu-Chen <acho@suse.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
9f7b57f2 |
|
03-Oct-2013 |
Thierry Escande <thierry.escande@linux.intel.com> |
NFC: port100: Add initiator mode support This patch implements the initiator NFC operations in_configure_hw() and in_send_cmd(). It also implements the switch_rf() operation. The initiator mode supports NFC-A technology at 106kbits/s and NFC-F technologies at 212 and 424kbits/s. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Cc: Stephen Tiedemann <stephen.tiedemann@gmail.com> Tested-by: Cho, Yu-Chen <acho@suse.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
0347a6ab |
|
03-Oct-2013 |
Thierry Escande <thierry.escande@linux.intel.com> |
NFC: port100: Commands mechanism implementation This patch implements the command handling mechanism. The digital stack serializes all commands sent to the driver. This means that the digital stack waits for the reply of the current command before sending a new one. So there is no command queue managed at driver level. All Port-100 commands are asynchronous. If the command has been sent successfully to the device, it replies with an ACK frame. Then the command response is received (or actually no-response in case of timeout or error) and a command complete work on the system workqueue is responsible for sending the response (or the error) back to the digital stack. The digital stack requires some commands to be synchronous, mainly hardware configuration ones. These commands use the asynchronous command path but are made synchronous by using a completion object. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Cc: Stephen Tiedemann <stephen.tiedemann@gmail.com> Tested-by: Cho, Yu-Chen <acho@suse.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|
#
562d4d59 |
|
03-Oct-2013 |
Thierry Escande <thierry.escande@linux.intel.com> |
NFC: Sony Port-100 Series driver This adds support for the Sony NFC USB dongle RC-S380, based on the Port-100 chip. This dongle is an analog frontend and does not implement the digital layer. This driver uses the nfc_digital module which is an implementation of the NFC Digital Protocol stack. This patch is a skeleton. It only registers the dongle against the NFC digital protocol stack. All NFC digital operation functions are stubbed out. Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com> Cc: Stephen Tiedemann <stephen.tiedemann@gmail.com> Tested-by: Cho, Yu-Chen <acho@suse.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
|