An error occurred fetching the project authors.
- 13 Mar, 2019 1 commit
-
-
YueHaibing authored
[ Upstream commit 58bdd544 ] KASAN report this: BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc] Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401 CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xfa/0x1ce lib/dump_stack.c:113 kasan_report+0x171/0x18d mm/kasan/report.c:321 memcpy+0x1f/0x50 mm/kasan/common.c:130 nfc_llcp_build_gb+0x37f/0x540 [nfc] nfc_llcp_register_device+0x6eb/0xb50 [nfc] nfc_register_device+0x50/0x1d0 [nfc] nfcsim_device_new+0x394/0x67d [nfcsim] ? 0xffffffffc1080000 nfcsim_init+0x6b/0x1000 [nfcsim] do_one_initcall+0xfa/0x5ca init/main.c:887 do_init_module+0x204/0x5f6 kernel/module.c:3460 load_module+0x66b2/0x8570 kernel/module.c:3808 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x462e99 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004 nfc_llcp_build_tlv will return NULL on fails, caller should check it, otherwise will trigger a NULL dereference. Reported-by:
Hulk Robot <hulkci@huawei.com> Fixes: eda21f16 ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames") Fixes: d646960f ("NFC: Initial LLCP support") Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 22 Jul, 2018 1 commit
-
-
Tetsuo Handa authored
commit 3bc53be9 upstream. syzbot is reporting stalls at nfc_llcp_send_ui_frame() [1]. This is because nfc_llcp_send_ui_frame() is retrying the loop without any delay when nonblocking nfc_alloc_send_skb() returned NULL. Since there is no need to use MSG_DONTWAIT if we retry until sock_alloc_send_pskb() succeeds, let's use blocking call. Also, in case an unexpected error occurred, let's break the loop if blocking nfc_alloc_send_skb() failed. [1] https://syzkaller.appspot.com/bug?id=4a131cc571c3733e0eff6bc673f4e36ae48f19c6Signed-off-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reported-by:
syzbot <syzbot+d29d18215e477cfbfbdd@syzkaller.appspotmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 30 May, 2018 1 commit
-
-
Kees Cook authored
[ Upstream commit fe9c8426 ] The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce this both in the NLA policy and in the code that performs the allocation and copy, to avoid writing past the end of the allocated buffer. Fixes: d9b8d8e1 ("NFC: llcp: Service Name Lookup netlink interface") Signed-off-by:
Kees Cook <keescook@chromium.org> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
Sasha Levin <alexander.levin@microsoft.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 06 Jul, 2016 2 commits
-
-
Thierry Escande authored
Once copied into the sk_buff data area using llcp_add_tlv(), the allocated TLVs must be freed. With this patch nfc_llcp_send_connect() and nfc_llcp_send_cc() don't return immediately on success and now free the allocated TLVs. Signed-off-by:
Thierry Escande <thierry.escande@collabora.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Thierry Escande authored
In functions using llcp_add_tlv(), a skb pointer could be set to NULL and then reuse afterward. With this patch, the skb pointer returned by llcp_add_tlv() is ignored since it can only be the passed skb pointer or NULL when the passed TLV is NULL. There is also no need to check for the TLV pointer as this is done by llcp_add_tlv(). Signed-off-by:
Thierry Escande <thierry.escande@collabora.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 25 Feb, 2016 1 commit
-
-
Cong Wang authored
These two functions are called in sendmsg path, and the 'len' is passed from user-space, so we should not allow malicious users to OOM kernel on purpose. Reported-by:
Dmitry Vyukov <dvyukov@google.com> Acked-by:
Eric Dumazet <edumazet@google.com> Reviewed-by:
Julian Calaby <julian.calaby@gmail.com> Signed-off-by:
Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 02 Dec, 2014 1 commit
-
-
Christophe Ricard authored
Fix warnings: net/nfc/llcp_commands.c:421:14: warning: incorrect type in assignment (different base types) net/nfc/llcp_commands.c:421:14: expected unsigned short [unsigned] [usertype] miux net/nfc/llcp_commands.c:421:14: got restricted __be16 net/nfc/llcp_commands.c:477:14: warning: incorrect type in assignment (different base types) net/nfc/llcp_commands.c:477:14: expected unsigned short [unsigned] [usertype] miux net/nfc/llcp_commands.c:477:14: got restricted __be16 Procedure to reproduce: make ARCH=x86_64 allmodconfig make C=1 CF=-D__CHECK_ENDIAN__ Signed-off-by:
Christophe Ricard <christophe-h.ricard@st.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 24 Nov, 2014 1 commit
-
-
Al Viro authored
Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
- 19 May, 2014 1 commit
-
-
Hiren Tandel authored
This allows for a more generic NFC sniffing by using SOCKPROTO_RAW SOCK_RAW to read RAW NFC frames. This is for sniffing anything but LLCP (HCI, NCI, etc...). Signed-off-by:
Hiren Tandel <hirent@marvell.com> Signed-off-by:
Rahul Tank <rahult@marvell.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 04 Jan, 2014 2 commits
-
-
Szymon Janc authored
If MIUX is not present in CONNECT or CC use default MIU value (128) instead of one announced durring link setup. This was affecting Bluetooth handover with Android 4.3+ NCI stack. Signed-off-by:
Szymon Janc <szymon.janc@gmail.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Szymon Janc authored
If sending was not completed due to low memory condition msg_data was not free before returning from function. Signed-off-by:
Szymon Janc <szymon.janc@gmail.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 11 Dec, 2013 1 commit
-
-
Jeff Kirsher authored
Several files refer to an old address for the Free Software Foundation in the file header comment. Resolve by replacing the address with the URL <http://www.gnu.org/licenses/> so that we do not have to keep updating the header comments anytime the address changes. CC: linux-wireless@vger.kernel.org CC: Lauro Ramos Venancio <lauro.venancio@openbossa.org> CC: Aloisio Almeida Jr <aloisio.almeida@openbossa.org> CC: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
- 14 Jun, 2013 1 commit
-
-
Thierry Escande authored
nfc_llcp_send_disconnect() already exists but is not used. nfc_llcp_disconnect() naming is not consistent with other PDU sending functions. This patch removes nfc_llcp_send_disconnect() and renames nfc_llcp_disconnect() Signed-off-by:
Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 26 Apr, 2013 1 commit
-
-
Samuel Ortiz authored
And stop making it optional. LLCP is a fundamental part of the NFC specifications and making it optional does not make much sense. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 11 Apr, 2013 3 commits
-
-
Thierry Escande authored
If remote_miu value is not set in the socket (i.e. connection-less socket) the value stored in the local is used. Signed-off-by:
Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Olivier Guiter authored
LLCP Validation test #2 (Connection-less information transfer) send a service data unit of zero octets length. This is now handled correctly. Signed-off-by:
Olivier Guiter <olivier.guiter@linux.intel.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
The MIUX must be transmitted in big endian and as such we have to convert it properly. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 10 Mar, 2013 5 commits
-
-
Thierry Escande authored
If the remote LLC doesn't reply in time to our SNL requests we remove them from the list of pending requests. The timeout is fixed to an arbitrary value of 3 times remote_lto. When not replied, the local LLC broadcasts NFC_EVENT_LLC_SDRES nl events for the concerned uris with sap values set to LLCP_SDP_UNBOUND (which is 65). Signed-off-by:
Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Thierry Escande authored
This adds a netlink interface for service name lookup support. Multiple URIs can be passed nested into the NFC_ATTR_LLC_SDP attribute using the NFC_CMD_LLC_SDREQ netlink command. When the SNL reply is received, a NFC_EVENT_LLC_SDRES event is sent to the user space. URI and SAP tuples are passed back, nested into NFC_ATTR_LLC_SDP attribute. Signed-off-by:
Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Thierry Escande authored
This modifies the way SDRES PDUs are sent back. If multiple SDREQs are received within a single SNL PDU, all SDRES replies are sent packed in one SNL PDU too. Signed-off-by:
Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
If the socket link options are set, use them before the local one. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
They really are remote peer parameters, and we need to distinguish them from the local ones as we'll modify the latter with socket options. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 09 Jan, 2013 1 commit
-
-
Thierry Escande authored
Set timestamp in sent and received sk_buffs. timestamp is then put in msghdr structure in llcp_sock_recvmsg(). Signed-off-by:
Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 19 Nov, 2012 2 commits
-
-
Samuel Ortiz authored
When the tx pending queues and/or the socket tx queue is getting too deep, we have to let userspace know. We won't be queueing any more frames until the congestion is fixed. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
Using the userspace IO vector directly is wrong, we should copy it from user space first. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 28 Oct, 2012 1 commit
-
-
Thierry Escande authored
NFC_CMD_LLC_GET_PARAMS: request LTO, RW, and MIUX parameters for a device NFC_CMD_LLC_SET_PARAMS: set one or more of LTO, RW, and MIUX parameters for a device. LTO must be set before the link is up otherwise -EINPROGRESS is returned. RW and MIUX can be set at anytime and will be passed in subsequent CONNECT and CC messages. If one of the passed parameters is wrong none is set and -EINVAL is returned. Signed-off-by:
Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 26 Oct, 2012 3 commits
-
-
Samuel Ortiz authored
UI frames still need to follow the MIU rule, and they need to use the client passed dsap as the listening socket dsap is stuck on SDP. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
SNL (Service Name Lookup) frames are used to respond to SNL requests. This is needed for SDP implementation. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
We no longer need to be atomic as this is only called from llcp_sock_release(). Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 27 Sep, 2012 1 commit
-
-
Thierry Escande authored
This adds support for socket of type SOCK_RAW to LLCP. sk_buff are copied and sent to raw sockets with a 2 bytes extra header: The first byte header contains the nfc adapter index. The second one contains flags: - 0x01 - Direction (0=RX, 1=TX) - 0x02-0x80 - Reserved A raw socket has to be explicitly bound to a nfc adapter. This is achieved by specifying the adapter index to be bound to in the dev_idx field of the sockaddr_nfc_llcp struct passed to bind(). Signed-off-by:
Thierry Escande <thierry.escande@linux.intel.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 04 Jun, 2012 3 commits
-
-
Samuel Ortiz authored
The mask is 0x7ff and not 0x7f and the return value is an u16. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
The MIU extension value can be received during the PAX or during the connection establishment process. It's definitely a connection related value rather than a link one. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
Samuel Ortiz authored
RW can only be fetched from a CONNECT or a CC frame thus making it an end points specific value, not a link one. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com>
-
- 16 May, 2012 1 commit
-
-
Samuel Ortiz authored
After testing our stack with large SNEP messages, we realized the fragments were arriving in reversed order. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
- 15 May, 2012 1 commit
-
-
Samuel Ortiz authored
Otherwise an LLCP send() always returns 0. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
- 12 Apr, 2012 3 commits
-
-
Samuel Ortiz authored
dsap and ssap were swapped when sending DN or DISC. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
Samuel Ortiz authored
The if logic could lead to zero length TLVs. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
Samuel Ortiz authored
recv_n is set properly when receiving an HDLC frame. Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
- 11 Apr, 2012 1 commit
-
-
Samuel Ortiz authored
Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
- 06 Mar, 2012 1 commit
-
-
Samuel Ortiz authored
Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-