user/sven/linux.git/drivers/nfc, branch v5.14.7 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.14.7 2021-07-28T09:20:16Z nfc: nfcsim: fix use after free during module unload 2021-07-28T09:20:16Z Krzysztof Kozlowski krzysztof.kozlowski@canonical.com 2021-07-28T06:49:09Z urn:sha1:5e7b30d24a5b8cb691c173b45b50e3ca0191be19 There is a use after free memory corruption during module exit: - nfcsim_exit() - nfcsim_device_free(dev0) - nfc_digital_unregister_device() This iterates over command queue and frees all commands, - dev->up = false - nfcsim_link_shutdown() - nfcsim_link_recv_wake() This wakes the sleeping thread nfcsim_link_recv_skb(). - nfcsim_link_recv_skb() Wake from wait_event_interruptible_timeout(), call directly the deb->cb callback even though (dev->up == false), - digital_send_cmd_complete() Dereference of "struct digital_cmd" cmd which was freed earlier by nfc_digital_unregister_device(). This causes memory corruption shortly after (with unrelated stack trace): nfc nfc0: NFC: nfcsim_recv_wq: Device is down llcp: nfc_llcp_recv: err -19 nfc nfc1: NFC: nfcsim_recv_wq: Device is down BUG: unable to handle page fault for address: ffffffffffffffed Call Trace: fsnotify+0x54b/0x5c0 __fsnotify_parent+0x1fe/0x300 ? vfs_write+0x27c/0x390 vfs_write+0x27c/0x390 ksys_write+0x63/0xe0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae KASAN report: BUG: KASAN: use-after-free in digital_send_cmd_complete+0x16/0x50 Write of size 8 at addr ffff88800a05f720 by task kworker/0:2/71 Workqueue: events nfcsim_recv_wq [nfcsim] Call Trace:  dump_stack_lvl+0x45/0x59  print_address_description.constprop.0+0x21/0x140  ? digital_send_cmd_complete+0x16/0x50  ? digital_send_cmd_complete+0x16/0x50  kasan_report.cold+0x7f/0x11b  ? digital_send_cmd_complete+0x16/0x50  ? digital_dep_link_down+0x60/0x60  digital_send_cmd_complete+0x16/0x50  nfcsim_recv_wq+0x38f/0x3d5 [nfcsim]  ? nfcsim_in_send_cmd+0x4a/0x4a [nfcsim]  ? lock_is_held_type+0x98/0x110  ? finish_wait+0x110/0x110  ? rcu_read_lock_sched_held+0x9c/0xd0  ? rcu_read_lock_bh_held+0xb0/0xb0  ? lockdep_hardirqs_on_prepare+0x12e/0x1f0 This flow of calling digital_send_cmd_complete() callback on driver exit is specific to nfcsim which implements reading and sending work queues. Since the NFC digital device was unregistered, the callback should not be called. Fixes: 204bddcb508f ("NFC: nfcsim: Make use of the Digital layer") Cc: <stable@vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> nfc: s3fwrn5: fix undefined parameter values in dev_err() 2021-07-28T08:23:59Z Tang Bin tangbin@cmss.chinamobile.com 2021-07-28T01:49:25Z urn:sha1:46573e3ab08fb041d5ba7bf7bf3215a1e724c78c In the function s3fwrn5_fw_download(), the 'ret' is not assigned, so the correct value should be given in dev_err function. Fixes: a0302ff5906a ("nfc: s3fwrn5: remove unnecessary label") Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com> Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com> Reviewed-by: Nathan Chancellor <nathan@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> nfc: s3fwrn5: fix undefined parameter values in dev_err() 2021-07-27T13:02:11Z Tang Bin tangbin@cmss.chinamobile.com 2021-07-27T12:25:06Z urn:sha1:801e541c79bbc63af852ca21b713ba87cc97c6ad In the function s3fwrn5_fw_download(), the 'ret' is not assigned, so the correct value should be given in dev_err function. Fixes: a0302ff5906a ("nfc: s3fwrn5: remove unnecessary label") Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com> Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com> Signed-off-by: David S. Miller <davem@davemloft.net> NFC: nxp-nci: remove unnecessary label 2021-06-18T19:57:30Z wengjianfeng wengjianfeng@yulong.com 2021-06-18T08:52:26Z urn:sha1:7437a2230e3993bb374fe546e5137b94b3ec302b Remove unnecessary label chunk_exit and return directly. Signed-off-by: wengjianfeng <wengjianfeng@yulong.com> Signed-off-by: David S. Miller <davem@davemloft.net> NFC: nxp-nci: remove unnecessary labels 2021-06-18T19:08:39Z wengjianfeng wengjianfeng@yulong.com 2021-06-18T09:10:16Z urn:sha1:96a19319921ceb4b2f4c49d1b9bf9de1161e30ca Simplify the code by removing unnecessary labels and returning directly. Signed-off-by: wengjianfeng <wengjianfeng@yulong.com> Signed-off-by: David S. Miller <davem@davemloft.net> nfc: fdp: remove unnecessary labels 2021-06-11T19:50:32Z wengjianfeng wengjianfeng@yulong.com 2021-06-10T02:46:16Z urn:sha1:43fa32d1cc1b967858ba5786b1b913527f1b10ed Some labels are meaningless, so we delete them and use the return statement instead of the goto statement. Signed-off-by: wengjianfeng <wengjianfeng@yulong.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> nfc: mrvl: reduce the scope of local variables 2021-06-03T20:59:08Z Krzysztof Kozlowski krzysztof.kozlowski@canonical.com 2021-06-02T11:20:11Z urn:sha1:2c95e6c7e558f20d309c1385a8bf3ed9da48491e In two places the 'ep_desc' and 'skb' local variables are used only within if() or for() block, so they scope can be reduced which makes the entire code slightly easier to follow. No functional change. Suggested-by: Joe Perches <joe@perches.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> nfc: mrvl: remove useless "continue" at end of loop 2021-06-03T20:59:08Z Krzysztof Kozlowski krzysztof.kozlowski@canonical.com 2021-06-02T11:20:10Z urn:sha1:a58224040f2df8381146e7cfba9d657d5683ded1 The "continue" statement at the end of a for loop does not have an effect. Entire loop contents can be slightly simplified to increase code readability. No functional change. Suggested-by: Joe Perches <joe@perches.com> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> NFC: microread: Remove redundant assignment to variable err 2021-06-01T23:58:38Z Nigel Christian nigel.l.christian@gmail.com 2021-06-01T13:35:33Z urn:sha1:e5432cc71ab64b10100a290b7bf32804981c9cb4 In the case MICROREAD_CB_TYPE_READER_ALL clang reports a dead code warning. The error code assigned to variable err is already passed to async_cb(). The assignment is redundant and can be removed. Addresses-Coverity: ("Unused value") Signed-off-by: Nigel Christian <nigel.l.christian@gmail.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> nfc: st95hf: fix indentation to tabs 2021-06-01T04:32:37Z Krzysztof Kozlowski krzysztof.kozlowski@canonical.com 2021-05-31T07:39:02Z urn:sha1:e099f3e8b71c212779089429a105b16d51ff6d58 Use tabs to indent instead of spaces. No functional change. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Link: https://lore.kernel.org/r/20210531073902.7111-7-krzysztof.kozlowski@canonical.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>