From 81ca7835f2cb0c3ba4236e3bcf31d997c6f5d71a Mon Sep 17 00:00:00 2001 From: Cong Wang Date: Fri, 29 Jan 2016 11:24:24 -0800 Subject: [PATCH 1/5] NFC: Use GFP_USER for user-controlled kmalloc These two functions are called in sendmsg path, and the 'len' is passed from user-space, so we should not allow malicious users to OOM kernel on purpose. Reported-by: Dmitry Vyukov Acked-by: Eric Dumazet Reviewed-by: Julian Calaby Signed-off-by: Cong Wang Signed-off-by: Samuel Ortiz --- net/nfc/llcp_commands.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c index 3621a902cb6e3..3425532c39f78 100644 --- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock, return -ENOBUFS; } - msg_data = kzalloc(len, GFP_KERNEL); + msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN); if (msg_data == NULL) return -ENOMEM; @@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, if (local == NULL) return -ENODEV; - msg_data = kzalloc(len, GFP_KERNEL); + msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN); if (msg_data == NULL) return -ENOMEM; From 03c05355543149bf610f4375e8382ee4fc0aaade Mon Sep 17 00:00:00 2001 From: Cong Wang Date: Fri, 29 Jan 2016 11:37:40 -0800 Subject: [PATCH 2/5] NFC: Close a race condition in llcp_sock_getname() llcp_sock_getname() checks llcp_sock->dev to make sure llcp_sock is already connected or bound, however, we could be in the middle of llcp_sock_bind() where llcp_sock->dev is bound and llcp_sock->service_name_len is set, but llcp_sock->service_name is not, in this case we would lead to copy some bytes from a NULL pointer. Just lock the sock since this is not a hot path anyway. Reported-by: Dmitry Vyukov Signed-off-by: Cong Wang Signed-off-by: Samuel Ortiz --- net/nfc/llcp_sock.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index ecf0a0196f180..b9edf5fae6ae9 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -509,6 +509,11 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *uaddr, memset(llcp_addr, 0, sizeof(*llcp_addr)); *len = sizeof(struct sockaddr_nfc_llcp); + lock_sock(sk); + if (!llcp_sock->dev) { + release_sock(sk); + return -EBADFD; + } llcp_addr->sa_family = AF_NFC; llcp_addr->dev_idx = llcp_sock->dev->idx; llcp_addr->target_idx = llcp_sock->target_idx; @@ -518,6 +523,7 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *uaddr, llcp_addr->service_name_len = llcp_sock->service_name_len; memcpy(llcp_addr->service_name, llcp_sock->service_name, llcp_addr->service_name_len); + release_sock(sk); return 0; } From dd215430dc9132fc0505cb4d5aa6dc6243ce8f9c Mon Sep 17 00:00:00 2001 From: Mika Westerberg Date: Thu, 3 Mar 2016 11:26:18 +0200 Subject: [PATCH 3/5] NFC: pn544: Drop two useless checks in ACPI probe path When pn544_hci_i2c_acpi_request_resources() gets called we already know that the entries in ->acpi_match_table have matched ACPI ID of the device. In addition I2C client pointer cannot be NULL in any case (otherwise I2C core would not call ->probe() for the driver in the first place). Drop the two useless checks from the driver. Signed-off-by: Mika Westerberg Signed-off-by: Samuel Ortiz --- drivers/nfc/pn544/i2c.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/drivers/nfc/pn544/i2c.c b/drivers/nfc/pn544/i2c.c index 76c318444304e..45d0e667d7ae3 100644 --- a/drivers/nfc/pn544/i2c.c +++ b/drivers/nfc/pn544/i2c.c @@ -877,20 +877,8 @@ static void pn544_hci_i2c_fw_work(struct work_struct *work) static int pn544_hci_i2c_acpi_request_resources(struct i2c_client *client) { struct pn544_i2c_phy *phy = i2c_get_clientdata(client); - const struct acpi_device_id *id; struct gpio_desc *gpiod_en, *gpiod_fw; - struct device *dev; - - if (!client) - return -EINVAL; - - dev = &client->dev; - - /* Match the struct device against a given list of ACPI IDs */ - id = acpi_match_device(dev->driver->acpi_match_table, dev); - - if (!id) - return -ENODEV; + struct device *dev = &client->dev; /* Get EN GPIO from ACPI */ gpiod_en = devm_gpiod_get_index(dev, PN544_GPIO_NAME_EN, 1, From 87aca73737e379f079993802d2c43606f7c5d26c Mon Sep 17 00:00:00 2001 From: Jean Delvare Date: Thu, 21 Jan 2016 09:20:12 +0100 Subject: [PATCH 4/5] NFC: microread: Drop platform data header file Originally I only wanted to drop the unneeded inclusion of , but then noticed that struct microread_nfc_platform_data isn't actually used, and MICROREAD_DRIVER_NAME is redefined in the only file where it is used, so we can get rid of the header file and dead code altogether. Signed-off-by: Jean Delvare Cc: Lauro Ramos Venancio Cc: Aloisio Almeida Jr Signed-off-by: Samuel Ortiz --- MAINTAINERS | 1 - drivers/nfc/microread/i2c.c | 8 ------ include/linux/platform_data/microread.h | 35 ------------------------- 3 files changed, 44 deletions(-) delete mode 100644 include/linux/platform_data/microread.h diff --git a/MAINTAINERS b/MAINTAINERS index 355e1c85bad68..5e4e50ff87bb9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -7644,7 +7644,6 @@ F: net/nfc/ F: include/net/nfc/ F: include/uapi/linux/nfc.h F: drivers/nfc/ -F: include/linux/platform_data/microread.h F: include/linux/platform_data/nfcmrvl.h F: include/linux/platform_data/nxp-nci.h F: include/linux/platform_data/pn544.h diff --git a/drivers/nfc/microread/i2c.c b/drivers/nfc/microread/i2c.c index 918e8f2eac47f..e0e8afd278495 100644 --- a/drivers/nfc/microread/i2c.c +++ b/drivers/nfc/microread/i2c.c @@ -246,18 +246,10 @@ static int microread_i2c_probe(struct i2c_client *client, const struct i2c_device_id *id) { struct microread_i2c_phy *phy; - struct microread_nfc_platform_data *pdata = - dev_get_platdata(&client->dev); int r; dev_dbg(&client->dev, "client %p\n", client); - if (!pdata) { - nfc_err(&client->dev, "client %p: missing platform data\n", - client); - return -EINVAL; - } - phy = devm_kzalloc(&client->dev, sizeof(struct microread_i2c_phy), GFP_KERNEL); if (!phy) diff --git a/include/linux/platform_data/microread.h b/include/linux/platform_data/microread.h deleted file mode 100644 index ca13992089b81..0000000000000 --- a/include/linux/platform_data/microread.h +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Driver include for the Inside Secure microread NFC Chip. - * - * Copyright (C) 2011 Tieto Poland - * Copyright (C) 2012 Intel Corporation. All rights reserved. - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * version 2 as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -#ifndef _MICROREAD_H -#define _MICROREAD_H - -#include - -#define MICROREAD_DRIVER_NAME "microread" - -/* board config platform data for microread */ -struct microread_nfc_platform_data { - unsigned int rst_gpio; - unsigned int irq_gpio; - unsigned int ioh_gpio; -}; - -#endif /* _MICROREAD_H */ From 079c2652e5af648db6bf4f54bcafdafcc57a0d2c Mon Sep 17 00:00:00 2001 From: Robert Baldyga Date: Thu, 10 Mar 2016 15:22:43 +0100 Subject: [PATCH 5/5] MAINTAINERS: nfc: s3fwrn5: Add second maintainer Add Krzysztof Opasiak as maintainer of S3FWRN5 driver. Signed-off-by: Robert Baldyga Acked-by: Krzysztof Opasiak Signed-off-by: Samuel Ortiz --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 5e4e50ff87bb9..4dd2d37e0f71f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9482,6 +9482,7 @@ F: drivers/media/i2c/s5k5baf.c SAMSUNG S3FWRN5 NFC DRIVER M: Robert Baldyga +M: Krzysztof Opasiak L: linux-nfc@lists.01.org (moderated for non-subscribers) S: Supported F: drivers/nfc/s3fwrn5