Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.21 2026-01-30T09:32:13+00:00 2026-01-30T09:32:13+00:00 Thadeu Lima de Souza Cascardo cascardo@igalia.com 2026-01-13T20:24:58+00:00 urn:sha1:5d5b227c92721fafe4bf25573777626be3c6930c commit f40ddcc0c0ca1a0122a7f4440b429f97d5832bdf upstream. This reverts commit 068648aab72c9ba7b0597354ef4d81ffaac7b979. NFC packets may have NUL-bytes. Checking for string length is not a correct assumption here. As long as there is a check for the length copied from copy_from_user, all should be fine. The fix only prevented the syzbot reproducer from triggering the bug because the packet is not enqueued anymore and the code that triggers the bug is not exercised. The fix even broke testing/selftests/nci/nci_dev, making all tests there fail. After the revert, 6 out of 8 tests pass. Fixes: 068648aab72c ("nfc/nci: Add the inconsistency check between the input data length and count") Cc: stable@vger.kernel.org Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com> Link: https://patch.msgid.link/20260113202458.449455-1-cascardo@igalia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-05-22T03:31:18+00:00 Sumanth Gavini sumanth.gavini@yahoo.com 2025-05-20T07:21:19+00:00 urn:sha1:bd15b2b26c982540d973b1d672c8aa37dae25a8b Fix the misspelling of "Electronics" in copyright headers across: - s3fwrn5 driver - virtual_ncidev driver Signed-off-by: Sumanth Gavini <sumanth.gavini@yahoo.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://patch.msgid.link/20250520072119.176018-1-sumanth.gavini@yahoo.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2024-05-29T12:08:31+00:00 Edward Adam Davis eadavis@qq.com 2024-05-28T03:12:31+00:00 urn:sha1:068648aab72c9ba7b0597354ef4d81ffaac7b979 write$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB="610501"], 0xf) Syzbot constructed a write() call with a data length of 3 bytes but a count value of 15, which passed too little data to meet the basic requirements of the function nci_rf_intf_activated_ntf_packet(). Therefore, increasing the comparison between data length and count value to avoid problems caused by inconsistent data length and count. Reported-and-tested-by: syzbot+71bfed2b2bcea46c98f2@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2023-11-22T10:55:48+00:00 Nguyen Dinh Phi phind.uet@gmail.com 2023-11-21T07:53:57+00:00 urn:sha1:84d2db91f14a32dc856a5972e3f0907089093c7a syzbot reported an memory leak that happens when an skb is add to send_buff after virtual nci closed. This patch adds a variable to track if the ndev is running before handling new skb in send function. Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com> Reported-by: syzbot+6eb09d75211863f15e3e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/00000000000075472b06007df4fb@google.com Reviewed-by: Bongsu Jeon Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2023-08-16T08:54:16+00:00 Li Zetao lizetao1@huawei.com 2023-08-15T07:49:27+00:00 urn:sha1:61a9b174f461de4d0668a98ca2f668b65ebdf131 Use the module_misc_device macro to simplify the code, which is the same as declaring with module_init() and module_exit(). Signed-off-by: Li Zetao <lizetao1@huawei.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2022-11-17T12:48:01+00:00 Dmitry Vyukov dvyukov@google.com 2022-11-15T10:00:17+00:00 urn:sha1:b2e44aac91b25abbed57d785089c4b7af926a7bd The current virtual nci driver is great for testing and fuzzing. But it allows to create at most one "global" device which does not allow to run parallel tests and harms fuzzing isolation and reproducibility. Restructure the driver to allow creation of multiple independent devices. This should be backwards compatible for existing tests. Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Bongsu Jeon <bongsu.jeon@samsung.com> Cc: Bongsu Jeon <bongsu.jeon@samsung.com> Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Cc: Jakub Kicinski <kuba@kernel.org> Cc: netdev@vger.kernel.org Link: https://lore.kernel.org/r/20221115100017.787929-1-dvyukov@google.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> 2022-10-21T04:13:04+00:00 Shang XiaoJing shangxiaojing@huawei.com 2022-10-20T03:05:05+00:00 urn:sha1:e840d8f4a1b323973052a1af5ad4edafcde8ae3d skb should be free in virtual_nci_send(), otherwise kmemleak will report memleak. Steps for reproduction (simulated in qemu): cd tools/testing/selftests/nci make ./nci_dev BUG: memory leak unreferenced object 0xffff888107588000 (size 208): comm "nci_dev", pid 206, jiffies 4294945376 (age 368.248s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000008d94c8fd>] __alloc_skb+0x1da/0x290 [<00000000278bc7f8>] nci_send_cmd+0xa3/0x350 [<0000000081256a22>] nci_reset_req+0x6b/0xa0 [<000000009e721112>] __nci_request+0x90/0x250 [<000000005d556e59>] nci_dev_up+0x217/0x5b0 [<00000000e618ce62>] nfc_dev_up+0x114/0x220 [<00000000981e226b>] nfc_genl_dev_up+0x94/0xe0 [<000000009bb03517>] genl_family_rcv_msg_doit.isra.14+0x228/0x2d0 [<00000000b7f8c101>] genl_rcv_msg+0x35c/0x640 [<00000000c94075ff>] netlink_rcv_skb+0x11e/0x350 [<00000000440cfb1e>] genl_rcv+0x24/0x40 [<0000000062593b40>] netlink_unicast+0x43f/0x640 [<000000001d0b13cc>] netlink_sendmsg+0x73a/0xbf0 [<000000003272487f>] __sys_sendto+0x324/0x370 [<00000000ef9f1747>] __x64_sys_sendto+0xdd/0x1b0 [<000000001e437841>] do_syscall_64+0x3f/0x90 Fixes: e624e6c3e777 ("nfc: Add a virtual nci device driver") Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://lore.kernel.org/r/20221020030505.15572-1-shangxiaojing@huawei.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2021-11-26T19:14:31+00:00 Thadeu Lima de Souza Cascardo cascardo@canonical.com 2021-11-25T14:14:57+00:00 urn:sha1:c26381f97e2a7df43826150dc7d4c207bd6794a5 Device permissions is S_IALLUGO, with many unnecessary bits. Remove them and also remove read and write permissions from group and others. Before the change: crwsrwsrwt 1 0 0 10, 125 Nov 25 13:59 /dev/virtual_nci After the change: crw------- 1 0 0 10, 125 Nov 25 14:05 /dev/virtual_nci Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Reviewed-by: Bongsu Jeon <bongsu.jeon@samsung.com> Link: https://lore.kernel.org/r/20211125141457.716921-1-cascardo@canonical.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2021-08-18T09:17:57+00:00 Bongsu Jeon bongsu.jeon@samsung.com 2021-08-17T13:28:11+00:00 urn:sha1:8675569d73cab15e5127d1f228afd3317cbeb5bf In previous version, the user level virtual device application that used this driver should have the polling scheme to read a NCI frame. To remove this polling scheme, use Wait Queue. Signed-off-by: Bongsu Jeon <bongsu.jeon@samsung.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2021-07-29T11:28:03+00:00 Krzysztof Kozlowski krzysztof.kozlowski@canonical.com 2021-07-29T10:40:15+00:00 urn:sha1:83428dbbac514f33597e6c8c571969027b3fac82 virtual_ncidev_ioctl() does not modify struct nfc_dev, so local variable can be a pointer to const. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>