[syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 89748acdf226 Merge tag 'drm-next-2025-08-01' of https://gi..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=165cfcf0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7ff65239b4835001
dashboard link: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b88042580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=115cfcf0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ce090dd92dc2/disk-89748acd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/32b5903a7759/vmlinux-89748acd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dc68a867773d/bzImage-89748acd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+740e04...@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in nci_init_req net/nfc/nci/core.c:177 [inline]
BUG: KMSAN: uninit-value in __nci_request net/nfc/nci/core.c:108 [inline]
BUG: KMSAN: uninit-value in nci_open_device net/nfc/nci/core.c:521 [inline]
BUG: KMSAN: uninit-value in nci_dev_up+0x13a2/0x1ba0 net/nfc/nci/core.c:632
nci_init_req net/nfc/nci/core.c:177 [inline]
__nci_request net/nfc/nci/core.c:108 [inline]
nci_open_device net/nfc/nci/core.c:521 [inline]
nci_dev_up+0x13a2/0x1ba0 net/nfc/nci/core.c:632
nfc_dev_up+0x201/0x3d0 net/nfc/core.c:118
nfc_genl_dev_up+0xe9/0x1c0 net/nfc/netlink.c:775
genl_family_rcv_msg_doit+0x335/0x3f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0xacf/0xc10 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x54a/0x680 net/netlink/af_netlink.c:2552
genl_rcv+0x41/0x60 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2614
___sys_sendmsg+0x271/0x3b0 net/socket.c:2668
__sys_sendmsg net/socket.c:2700 [inline]
__do_sys_sendmsg net/socket.c:2705 [inline]
__se_sys_sendmsg net/socket.c:2703 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2703
x64_sys_call+0x1dfd/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 6169 at kernel/stacktrace.c:29 stack_trace_print+0xd4/0xf0 kernel/stacktrace.c:29
Modules linked in:
CPU: 1 UID: 0 PID: 6169 Comm: syz-executor421 Not tainted 6.16.0-syzkaller-10499-g89748acdf226 #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:stack_trace_print+0xd4/0xf0 kernel/stacktrace.c:29
Code: 8f bc 03 92 89 de ba 20 00 00 00 4c 89 e1 e8 c3 5d 4d ff 49 83 c6 08 49 ff cd 0f 85 6e ff ff ff eb 0b e8 ff 26 c3 00 eb d4 90 <0f> 0b 90 5b 41 5c 41 5d 41 5e 41 5f 5d e9 9a 33 07 0f cc 66 0f 1f
RSP: 0018:ffff8881343b31c8 EFLAGS: 00010246
RAX: ffff888114afac20 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881343b31f0 R08: 0000000000000000 R09: 0000000000000000
R10: ffff888133bb3208 R11: 0000000000000001 R12: 0000000000000000
R13: 00000000abcd0100 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f0c264ae6c0(0000) GS:ffff8881aa9a5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0c26531650 CR3: 00000001193c6000 CR4: 00000000003526f0
Call Trace:
<TASK>
kmsan_print_origin+0xb0/0x340 mm/kmsan/report.c:133
kmsan_report+0x1d3/0x320 mm/kmsan/report.c:196
__msan_warning+0x1b/0x30 mm/kmsan/instrumentation.c:315
nci_init_req net/nfc/nci/core.c:177 [inline]
__nci_request net/nfc/nci/core.c:108 [inline]
nci_open_device net/nfc/nci/core.c:521 [inline]
nci_dev_up+0x13a2/0x1ba0 net/nfc/nci/core.c:632
nfc_dev_up+0x201/0x3d0 net/nfc/core.c:118
nfc_genl_dev_up+0xe9/0x1c0 net/nfc/netlink.c:775
genl_family_rcv_msg_doit+0x335/0x3f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0xacf/0xc10 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x54a/0x680 net/netlink/af_netlink.c:2552
genl_rcv+0x41/0x60 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2614
___sys_sendmsg+0x271/0x3b0 net/socket.c:2668
__sys_sendmsg net/socket.c:2700 [inline]
__do_sys_sendmsg net/socket.c:2705 [inline]
__se_sys_sendmsg net/socket.c:2703 [inline]
__x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2703
x64_sys_call+0x1dfd/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:47
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0c264f62c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0c264ae218 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f0c2657f368 RCX: 00007f0c264f62c9
RDX: 0000000000000000 RSI: 0000200000000140 RDI: 0000000000000004
RBP: 00007f0c2657f360 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0c2654c074
R13: 0000200000000150 R14: 00002000000000c0 R15: 0000200000000300
</TASK>
---[ end trace 0000000000000000 ]---

Uninit was stored to memory at:
nci_core_reset_ntf_packet net/nfc/nci/ntf.c:36 [inline]
nci_ntf_packet+0x179d/0x42b0 net/nfc/nci/ntf.c:812
nci_rx_work+0x403/0x750 net/nfc/nci/core.c:1555
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xb8e/0x1d80 kernel/workqueue.c:3319
worker_thread+0xedf/0x1590 kernel/workqueue.c:3400
kthread+0xd5c/0xf00 kernel/kthread.c:464
ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:
slab_post_alloc_hook mm/slub.c:4186 [inline]
slab_alloc_node mm/slub.c:4229 [inline]
kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4281
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:578
__alloc_skb+0x347/0x7d0 net/core/skbuff.c:669
alloc_skb include/linux/skbuff.h:1336 [inline]
virtual_ncidev_write+0x6b/0x430 drivers/nfc/virtual_ncidev.c:120
vfs_write+0x463/0x1580 fs/read_write.c:684
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
x64_sys_call+0x3014/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 6169 Comm: syz-executor421 Tainted: G W 6.16.0-syzkaller-10499-g89748acdf226 #0 PREEMPT(none)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject:
Author: deepak.t...@gmail.com

#syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)
Author: deepak.t...@gmail.com

#syz test

On Wed, Sep 17, 2025 at 6:40 PM Cortex Auth <deepak.t...@gmail.com> wrote:
>
>

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)
Author: deepak.t...@gmail.com

#syz test

On Wed, Sep 17, 2025 at 7:25 PM syzbot
<syzbot+740e04...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+740e04...@syzkaller.appspotmail.com
> Tested-by: syzbot+740e04...@syzkaller.appspotmail.com
>
> Tested on:
>
> commit: 5aca7966 Merge tag 'perf-tools-fixes-for-v6.17-2025-09..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14cd8c7c580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1b093ccee5a9e08c
> dashboard link: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> patch: https://syzkaller.appspot.com/x/patch.diff?x=13dfaf62580000
>
> Note: testing is done by a robot and is best-effort only.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/68cabdb6.050a0220.3c6139.0fa6.GAE%40google.com.

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)
Author: deepak.t...@gmail.com

#syz test

On Thu, Sep 18, 2025 at 11:29 PM syzbot

<syzbot+740e04...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+740e04...@syzkaller.appspotmail.com
> Tested-by: syzbot+740e04...@syzkaller.appspotmail.com
>
> Tested on:
>

> commit: 86cc796e Merge tag 'for-linus' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d94712580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=1b093ccee5a9e08c
> dashboard link: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8

> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

> patch: https://syzkaller.appspot.com/x/patch.diff?x=162bdf62580000

>
> Note: testing is done by a robot and is best-effort only.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.

> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/68cc4866.050a0220.28a605.000a.GAE%40google.com.

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [PATCH net v6] net: nfc: nci: Fix parameter validation for packet data
Author: kr...@kernel.org

On 18/02/2026 09:30, Michael Thalmeier wrote:
> Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for
> packet data") communication with nci nfc chips is not working any more.
>
> The mentioned commit tries to fix access of uninitialized data, but
> failed to understand that in some cases the data packet is of variable
> length and can therefore not be compared to the maximum packet length
> given by the sizeof(struct).
>
> Fixes: 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data")

Reported-by: syzbot+740e04...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8

#syz unfix

> Cc: sta...@vger.kernel.org
> Signed-off-by: Michael Thalmeier <michael....@hale.at>
> ---
> v6:
> - use ssize_t for data_len parameter to guard against underflows
> - omit unneeded data_len decrements at the end of the functions
>
> v5:
> - also check helper functions in nci_extract_rf_params_nfcf_passive_listen
> and nci_rf_discover_ntf_packet
>
> v4:
> - formatting fixes
>
> v3:
> - perform complete checks
> - replace magic numbers with offsetofend and sizeof
>
> v2:
> - Reference correct commit hash
>
> ---
> net/nfc/nci/ntf.c | 159 ++++++++++++++++++++++++++++++++++++++++------
> 1 file changed, 141 insertions(+), 18 deletions(-)
>
> diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
> index 418b84e2b260..c96512bb8653 100644
> --- a/net/nfc/nci/ntf.c
> +++ b/net/nfc/nci/ntf.c
> @@ -58,7 +58,7 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
> struct nci_conn_info *conn_info;
> int i;
>
> - if (skb->len < sizeof(struct nci_core_conn_credit_ntf))
> + if (skb->len < offsetofend(struct nci_core_conn_credit_ntf, num_entries))
> return -EINVAL;
>
> ntf = (struct nci_core_conn_credit_ntf *)skb->data;
> @@ -68,6 +68,10 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
> if (ntf->num_entries > NCI_MAX_NUM_CONN)
> ntf->num_entries = NCI_MAX_NUM_CONN;
>
> + if (skb->len < offsetofend(struct nci_core_conn_credit_ntf, num_entries) +
> + ntf->num_entries * sizeof(struct conn_credit_entry))
> + return -EINVAL;
> +
> /* update the credits */
> for (i = 0; i < ntf->num_entries; i++) {
> ntf->conn_entries[i].conn_id =
> @@ -138,23 +142,48 @@ static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev,
> static const __u8 *
> nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
> struct rf_tech_specific_params_nfca_poll *nfca_poll,
> - const __u8 *data)
> + const __u8 *data, ssize_t data_len)
> {
> + /* Check if we have enough data for sens_res (2 bytes) */
> + if (data_len < 2)
> + return ERR_PTR(-EINVAL);
> +
> nfca_poll->sens_res = __le16_to_cpu(*((__le16 *)data));
> data += 2;
> + data_len -= 2;
> +
> + /* Check if we have enough data for nfcid1_len (1 byte) */
> + if (data_len < 1)
> + return ERR_PTR(-EINVAL);
>
> nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
> + data_len--;
>
> pr_debug("sens_res 0x%x, nfcid1_len %d\n",
> nfca_poll->sens_res, nfca_poll->nfcid1_len);
>
> + /* Check if we have enough data for nfcid1 */
> + if (data_len < nfca_poll->nfcid1_len)
> + return ERR_PTR(-EINVAL);
> +
> memcpy(nfca_poll->nfcid1, data, nfca_poll->nfcid1_len);
> data += nfca_poll->nfcid1_len;
> + data_len -= nfca_poll->nfcid1_len;
> +
> + /* Check if we have enough data for sel_res_len (1 byte) */
> + if (data_len < 1)
> + return ERR_PTR(-EINVAL);
>
> nfca_poll->sel_res_len = *data++;
> + data_len--;
> +
> + if (nfca_poll->sel_res_len != 0) {
> + /* Check if we have enough data for sel_res (1 byte) */
> + if (data_len < 1)
> + return ERR_PTR(-EINVAL);
>
> - if (nfca_poll->sel_res_len != 0)
> nfca_poll->sel_res = *data++;
> + }
>
> pr_debug("sel_res_len %d, sel_res 0x%x\n",
> nfca_poll->sel_res_len,
> @@ -166,12 +195,21 @@ nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
> static const __u8 *
> nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev,
> struct rf_tech_specific_params_nfcb_poll *nfcb_poll,
> - const __u8 *data)
> + const __u8 *data, ssize_t data_len)
> {
> + /* Check if we have enough data for sensb_res_len (1 byte) */
> + if (data_len < 1)
> + return ERR_PTR(-EINVAL);
> +
> nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE);
> + data_len--;
>
> pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len);
>
> + /* Check if we have enough data for sensb_res */
> + if (data_len < nfcb_poll->sensb_res_len)
> + return ERR_PTR(-EINVAL);
> +
> memcpy(nfcb_poll->sensb_res, data, nfcb_poll->sensb_res_len);
> data += nfcb_poll->sensb_res_len;
>
> @@ -181,14 +219,29 @@ nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev,
> static const __u8 *
> nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev,
> struct rf_tech_specific_params_nfcf_poll *nfcf_poll,
> - const __u8 *data)
> + const __u8 *data, ssize_t data_len)
> {
> + /* Check if we have enough data for bit_rate (1 byte) */
> + if (data_len < 1)
> + return ERR_PTR(-EINVAL);
> +
> nfcf_poll->bit_rate = *data++;
> + data_len--;
> +
> + /* Check if we have enough data for sensf_res_len (1 byte) */
> + if (data_len < 1)
> + return ERR_PTR(-EINVAL);
> +
> nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE);
> + data_len--;
>
> pr_debug("bit_rate %d, sensf_res_len %d\n",
> nfcf_poll->bit_rate, nfcf_poll->sensf_res_len);
>
> + /* Check if we have enough data for sensf_res */
> + if (data_len < nfcf_poll->sensf_res_len)
> + return ERR_PTR(-EINVAL);
> +
> memcpy(nfcf_poll->sensf_res, data, nfcf_poll->sensf_res_len);
> data += nfcf_poll->sensf_res_len;
>
> @@ -198,22 +251,49 @@ nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev,
> static const __u8 *
> nci_extract_rf_params_nfcv_passive_poll(struct nci_dev *ndev,
> struct rf_tech_specific_params_nfcv_poll *nfcv_poll,
> - const __u8 *data)
> + const __u8 *data, ssize_t data_len)
> {
> + /* Skip 1 byte (reserved) */
> + if (data_len < 1)
> + return ERR_PTR(-EINVAL);
> +
> ++data;
> + data_len--;
> +
> + /* Check if we have enough data for dsfid (1 byte) */
> + if (data_len < 1)
> + return ERR_PTR(-EINVAL);
> +
> nfcv_poll->dsfid = *data++;
> + data_len--;
> +
> + /* Check if we have enough data for uid (8 bytes) */
> + if (data_len < NFC_ISO15693_UID_MAXSIZE)
> + return ERR_PTR(-EINVAL);
> +
> memcpy(nfcv_poll->uid, data, NFC_ISO15693_UID_MAXSIZE);
> data += NFC_ISO15693_UID_MAXSIZE;
> +
> return data;
> }
>
> static const __u8 *
> nci_extract_rf_params_nfcf_passive_listen(struct nci_dev *ndev,
> struct rf_tech_specific_params_nfcf_listen *nfcf_listen,
> - const __u8 *data)
> + const __u8 *data, ssize_t data_len)
> {
> + /* Check if we have enough data for local_nfcid2_len (1 byte) */
> + if (data_len < 1)
> + return ERR_PTR(-EINVAL);
> +
> nfcf_listen->local_nfcid2_len = min_t(__u8, *data++,
> NFC_NFCID2_MAXSIZE);
> + data_len--;
> +
> + /* Check if we have enough data for local_nfcid2 */
> + if (data_len < nfcf_listen->local_nfcid2_len)
> + return ERR_PTR(-EINVAL);
> +
> memcpy(nfcf_listen->local_nfcid2, data, nfcf_listen->local_nfcid2_len);
> data += nfcf_listen->local_nfcid2_len;
>
> @@ -364,7 +444,7 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
> const __u8 *data;
> bool add_target = true;
>
> - if (skb->len < sizeof(struct nci_rf_discover_ntf))
> + if (skb->len < offsetofend(struct nci_rf_discover_ntf, rf_tech_specific_params_len))
> return -EINVAL;
>
> data = skb->data;
> @@ -380,26 +460,42 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
> pr_debug("rf_tech_specific_params_len %d\n",
> ntf.rf_tech_specific_params_len);
>
> + if (skb->len < (data - skb->data) +
> + ntf.rf_tech_specific_params_len + sizeof(ntf.ntf_type))
> + return -EINVAL;
> +
> if (ntf.rf_tech_specific_params_len > 0) {
> switch (ntf.rf_tech_and_mode) {
> case NCI_NFC_A_PASSIVE_POLL_MODE:
> data = nci_extract_rf_params_nfca_passive_poll(ndev,
> - &(ntf.rf_tech_specific_params.nfca_poll), data);
> + &(ntf.rf_tech_specific_params.nfca_poll), data,
> + ntf.rf_tech_specific_params_len);
> + if (IS_ERR(data))
> + return PTR_ERR(data);
> break;
>
> case NCI_NFC_B_PASSIVE_POLL_MODE:
> data = nci_extract_rf_params_nfcb_passive_poll(ndev,
> - &(ntf.rf_tech_specific_params.nfcb_poll), data);
> + &(ntf.rf_tech_specific_params.nfcb_poll), data,
> + ntf.rf_tech_specific_params_len);
> + if (IS_ERR(data))
> + return PTR_ERR(data);
> break;
>
> case NCI_NFC_F_PASSIVE_POLL_MODE:
> data = nci_extract_rf_params_nfcf_passive_poll(ndev,
> - &(ntf.rf_tech_specific_params.nfcf_poll), data);
> + &(ntf.rf_tech_specific_params.nfcf_poll), data,
> + ntf.rf_tech_specific_params_len);
> + if (IS_ERR(data))
> + return PTR_ERR(data);
> break;
>
> case NCI_NFC_V_PASSIVE_POLL_MODE:
> data = nci_extract_rf_params_nfcv_passive_poll(ndev,
> - &(ntf.rf_tech_specific_params.nfcv_poll), data);
> + &(ntf.rf_tech_specific_params.nfcv_poll), data,
> + ntf.rf_tech_specific_params_len);
> + if (IS_ERR(data))
> + return PTR_ERR(data);
> break;
>
> default:
> @@ -596,7 +692,7 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
> const __u8 *data;
> int err = NCI_STATUS_OK;
>
> - if (skb->len < sizeof(struct nci_rf_intf_activated_ntf))
> + if (skb->len < offsetofend(struct nci_rf_intf_activated_ntf, rf_tech_specific_params_len))
> return -EINVAL;
>
> data = skb->data;
> @@ -628,26 +724,41 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
> if (ntf.rf_interface == NCI_RF_INTERFACE_NFCEE_DIRECT)
> goto listen;
>
> + if (skb->len < (data - skb->data) + ntf.rf_tech_specific_params_len)
> + return -EINVAL;
> +
> if (ntf.rf_tech_specific_params_len > 0) {
> switch (ntf.activation_rf_tech_and_mode) {
> case NCI_NFC_A_PASSIVE_POLL_MODE:
> data = nci_extract_rf_params_nfca_passive_poll(ndev,
> - &(ntf.rf_tech_specific_params.nfca_poll), data);
> + &(ntf.rf_tech_specific_params.nfca_poll), data,
> + ntf.rf_tech_specific_params_len);
> + if (IS_ERR(data))
> + return -EINVAL;
> break;
>
> case NCI_NFC_B_PASSIVE_POLL_MODE:
> data = nci_extract_rf_params_nfcb_passive_poll(ndev,
> - &(ntf.rf_tech_specific_params.nfcb_poll), data);
> + &(ntf.rf_tech_specific_params.nfcb_poll), data,
> + ntf.rf_tech_specific_params_len);
> + if (IS_ERR(data))
> + return -EINVAL;
> break;
>
> case NCI_NFC_F_PASSIVE_POLL_MODE:
> data = nci_extract_rf_params_nfcf_passive_poll(ndev,
> - &(ntf.rf_tech_specific_params.nfcf_poll), data);
> + &(ntf.rf_tech_specific_params.nfcf_poll), data,
> + ntf.rf_tech_specific_params_len);
> + if (IS_ERR(data))
> + return -EINVAL;
> break;
>
> case NCI_NFC_V_PASSIVE_POLL_MODE:
> data = nci_extract_rf_params_nfcv_passive_poll(ndev,
> - &(ntf.rf_tech_specific_params.nfcv_poll), data);
> + &(ntf.rf_tech_specific_params.nfcv_poll), data,
> + ntf.rf_tech_specific_params_len);
> + if (IS_ERR(data))
> + return -EINVAL;
> break;
>
> case NCI_NFC_A_PASSIVE_LISTEN_MODE:
> @@ -657,7 +768,9 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
> case NCI_NFC_F_PASSIVE_LISTEN_MODE:
> data = nci_extract_rf_params_nfcf_passive_listen(ndev,
> &(ntf.rf_tech_specific_params.nfcf_listen),
> - data);
> + data, ntf.rf_tech_specific_params_len);
> + if (IS_ERR(data))
> + return -EINVAL;
> break;
>
> default:
> @@ -668,6 +781,13 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
> }
> }
>
> + if (skb->len < (data - skb->data) +
> + sizeof(ntf.data_exch_rf_tech_and_mode) +
> + sizeof(ntf.data_exch_tx_bit_rate) +
> + sizeof(ntf.data_exch_rx_bit_rate) +
> + sizeof(ntf.activation_params_len))
> + return -EINVAL;
> +
> ntf.data_exch_rf_tech_and_mode = *data++;
> ntf.data_exch_tx_bit_rate = *data++;
> ntf.data_exch_rx_bit_rate = *data++;
> @@ -679,6 +799,9 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
> pr_debug("data_exch_rx_bit_rate 0x%x\n", ntf.data_exch_rx_bit_rate);
> pr_debug("activation_params_len %d\n", ntf.activation_params_len);
>
> + if (skb->len < (data - skb->data) + ntf.activation_params_len)
> + return -EINVAL;
> +
> if (ntf.activation_params_len > 0) {
> switch (ntf.rf_interface) {
> case NCI_RF_INTERFACE_ISO_DEP:


Best regards,
Krzysztof