kernel/linux.git/drivers/nfc, branch v5.10.78Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.782021-11-02T18:48:19+00:00nfc: port100: fix using -ERRNO as command type mask2021-11-02T18:48:19+00:00Krzysztof Kozlowskikrzysztof.kozlowski@canonical.com2021-10-25T14:49:36+00:00urn:sha1:11c0406b4c3379a410876739b39227446598572a
commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.
During probing, the driver tries to get a list (mask) of supported
command types in port100_get_command_type_mask() function. The value
is u64 and 0 is treated as invalid mask (no commands supported). The
function however returns also -ERRNO as u64 which will be interpret as
valid command mask.
Return 0 on every error case of port100_get_command_type_mask(), so the
probing will stop.
Cc: <stable@vger.kernel.org>
Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
nfc: nfcsim: fix use after free during module unload2021-08-04T10:46:41+00:00Krzysztof Kozlowskikrzysztof.kozlowski@canonical.com2021-07-28T06:49:09+00:00urn:sha1:9ab284bc35307ffde4f385dd8f3cf853fd9bb264
commit 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 upstream.
There is a use after free memory corruption during module exit:
- nfcsim_exit()
- nfcsim_device_free(dev0)
- nfc_digital_unregister_device()
This iterates over command queue and frees all commands,
- dev->up = false
- nfcsim_link_shutdown()
- nfcsim_link_recv_wake()
This wakes the sleeping thread nfcsim_link_recv_skb().
- nfcsim_link_recv_skb()
Wake from wait_event_interruptible_timeout(),
call directly the deb->cb callback even though (dev->up == false),
- digital_send_cmd_complete()
Dereference of "struct digital_cmd" cmd which was freed earlier by
nfc_digital_unregister_device().
This causes memory corruption shortly after (with unrelated stack
trace):
nfc nfc0: NFC: nfcsim_recv_wq: Device is down
llcp: nfc_llcp_recv: err -19
nfc nfc1: NFC: nfcsim_recv_wq: Device is down
BUG: unable to handle page fault for address: ffffffffffffffed
Call Trace:
fsnotify+0x54b/0x5c0
__fsnotify_parent+0x1fe/0x300
? vfs_write+0x27c/0x390
vfs_write+0x27c/0x390
ksys_write+0x63/0xe0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
KASAN report:
BUG: KASAN: use-after-free in digital_send_cmd_complete+0x16/0x50
Write of size 8 at addr ffff88800a05f720 by task kworker/0:2/71
Workqueue: events nfcsim_recv_wq [nfcsim]
Call Trace:
dump_stack_lvl+0x45/0x59
print_address_description.constprop.0+0x21/0x140
? digital_send_cmd_complete+0x16/0x50
? digital_send_cmd_complete+0x16/0x50
kasan_report.cold+0x7f/0x11b
? digital_send_cmd_complete+0x16/0x50
? digital_dep_link_down+0x60/0x60
digital_send_cmd_complete+0x16/0x50
nfcsim_recv_wq+0x38f/0x3d5 [nfcsim]
? nfcsim_in_send_cmd+0x4a/0x4a [nfcsim]
? lock_is_held_type+0x98/0x110
? finish_wait+0x110/0x110
? rcu_read_lock_sched_held+0x9c/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x12e/0x1f0
This flow of calling digital_send_cmd_complete() callback on driver exit
is specific to nfcsim which implements reading and sending work queues.
Since the NFC digital device was unregistered, the callback should not
be called.
Fixes: 204bddcb508f ("NFC: nfcsim: Make use of the Digital layer")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
nfc: pn533: prevent potential memory corruption2021-05-14T07:50:32+00:00Dan Carpenterdan.carpenter@oracle.com2021-04-02T11:44:42+00:00urn:sha1:db574a60c48236addd86113da86f1343078ee4fc
[ Upstream commit ca4d4c34ae9aa5c3c0da76662c5e549d2fc0cc86 ]
If the "type_a->nfcid_len" is too large then it would lead to memory
corruption in pn533_target_found_type_a() when we do:
memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);
Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
nfc: s3fwrn5: Release the nfc firmware2020-12-30T10:53:53+00:00Bongsu Jeonbongsu.jeon@samsung.com2020-12-13T09:58:50+00:00urn:sha1:582e1021fb68aabe386489440f4153a0ff94090f
[ Upstream commit a4485baefa1efa596702ebffd5a9c760d42b14b5 ]
add the code to release the nfc firmware when the firmware image size is
wrong.
Fixes: c04c674fadeb ("nfc: s3fwrn5: Add driver for Samsung S3FWRN5 NFC Chip")
Signed-off-by: Bongsu Jeon <bongsu.jeon@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Link: https://lore.kernel.org/r/20201213095850.28169-1-bongsu.jeon@samsung.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
nfc: s3fwrn5: use signed integer for parsing GPIO numbers2020-11-24T23:00:53+00:00Krzysztof Kozlowskikrzk@kernel.org2020-11-23T16:23:51+00:00urn:sha1:d8f0a86795c69f5b697f7d9e5274c124da93c92d
GPIOs - as returned by of_get_named_gpio() and used by the gpiolib - are
signed integers, where negative number indicates error. The return
value of of_get_named_gpio() should not be assigned to an unsigned int
because in case of !CONFIG_GPIOLIB such number would be a valid GPIO.
Fixes: c04c674fadeb ("nfc: s3fwrn5: Add driver for Samsung S3FWRN5 NFC Chip")
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Link: https://lore.kernel.org/r/20201123162351.209100-1-krzk@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
nfc: remove unneeded break2020-10-20T17:36:41+00:00Tom Rixtrix@redhat.com2020-10-19T19:15:00+00:00urn:sha1:618355cc6a0d9c23da2be171b72686f1f94a4fc1
A break is not needed if it is preceded by a return
Signed-off-by: Tom Rix <trix@redhat.com>
Link: https://lore.kernel.org/r/20201019191500.9264-1-trix@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
nfc: s3fwrn5: Constify s3fwrn5_fw_info when not modified2020-09-10T22:22:16+00:00Krzysztof Kozlowskikrzk@kernel.org2020-09-10T16:12:17+00:00urn:sha1:171a7000fa94c7ed30720357bc0b9e8d277d15e5
Two functions accept pointer to struct s3fwrn5_fw_info but do not
modify the contents. Make them const so the code is a little bit safer.
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
nfc: s3fwrn5: Add missing CRYPTO_HASH dependency2020-09-10T22:22:16+00:00Krzysztof Kozlowskikrzk@kernel.org2020-09-10T16:12:16+00:00urn:sha1:4aa62c62d4c41d71b2bda5ed01b78961829ee93c
The driver uses crypto hash functions so it needs to select CRYPTO_HASH.
This fixes build errors:
arc-linux-ld: drivers/nfc/s3fwrn5/firmware.o: in function `s3fwrn5_fw_download':
firmware.c:(.text+0x152): undefined reference to `crypto_alloc_shash'
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
nfc: s3fwrn5: Remove unneeded 'ret' variable2020-09-10T22:22:16+00:00Krzysztof Kozlowskikrzk@kernel.org2020-09-10T16:12:15+00:00urn:sha1:e52e4130ffefaab11c7a09ab83de7022400d5d60
The local variable 'ret' can be removed:
drivers/nfc/s3fwrn5/i2c.c:167:6: warning: variable 'ret' set but not used [-Wunused-but-set-variable]
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
nfc: s3fwrn5: Remove wrong vendor prefix from GPIOs2020-09-10T22:22:16+00:00Krzysztof Kozlowskikrzk@kernel.org2020-09-10T16:12:14+00:00urn:sha1:1995c4cc3ae4070717b07d972e0ee66989375304
The device tree property prefix describes the vendor, which in case of
S3FWRN5 chip is Samsung. Therefore the "s3fwrn5" prefix for "en-gpios"
and "fw-gpios" is not correct and should be deprecated. Introduce
properly named properties for these GPIOs but still support deprecated
ones.
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>