linux-stable.git/net/nfc, branch v3.15.2 Linux kernel stable tree net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11T20:15:36+00:00 David S. Miller davem@davemloft.net 2014-04-11T20:15:36+00:00 676d23690fb62b5d51ba5d659935e9f7d9da9f8e Several spots in the kernel perform a sequence like: skb_queue_tail(&sk->s_receive_queue, skb); sk->sk_data_ready(sk, skb->len); But at the moment we place the SKB onto the socket receive queue it can be consumed and freed up. So this skb->len access is potentially to freed up memory. Furthermore, the skb->len can be modified by the consumer so it is possible that the value isn't accurate. And finally, no actual implementation of this callback actually uses the length argument. And since nobody actually cared about it's value, lots of call sites pass arbitrary values in such as '0' and even '1'. So just remove the length argument from the callback, that way there is no confusion whatsoever and all of these use-after-free cases get fixed as a side effect. Based upon a patch by Eric Dumazet and his suggestion to audit this issue tree-wide. Signed-off-by: David S. Miller <davem@davemloft.net> 
Several spots in the kernel perform a sequence like:

	skb_queue_tail(&sk->s_receive_queue, skb);
	sk->sk_data_ready(sk, skb->len);

But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up.  So this skb->len access is potentially
to freed up memory.

Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.

And finally, no actual implementation of this callback actually uses
the length argument.  And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.

So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.

Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.

Signed-off-by: David S. Miller <davem@davemloft.net>
Merge tag 'nfc-next-3.15-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-next 2014-03-17T17:16:50+00:00 John W. Linville linville@tuxdriver.com 2014-03-17T17:16:50+00:00 20d83f2464c0d1e27b24d654aa5495dcc44759c0 Samuel Ortiz <sameo@linux.intel.com> says: "NFC: 3.15: First pull request This is the NFC pull request for 3.15. With this one we have: - Support for ISO 15693 a.k.a. NFC vicinity a.k.a. Type 5 tags. ISO 15693 are long range (1 - 2 meters) vicinity tags/cards. The kernel now supports those through the NFC netlink and digital APIs. - Support for TI's trf7970a chipset. This chipset relies on the NFC digital layer and the driver currently supports type 2, 4A and 5 tags. - Support for NXP's pn544 secure firmare download. The pn544 C3 chipsets relies on a different firmware download protocal than the C2 one. We now support both and use the right one depending on the version we detect at runtime. - Support for 4A tags from the NFC digital layer. - A bunch of cleanups and minor fixes from Axel Lin and Thierry Escande." Signed-off-by: John W. Linville <linville@tuxdriver.com> 
Samuel Ortiz <sameo@linux.intel.com> says:

"NFC: 3.15: First pull request

This is the NFC pull request for 3.15. With this one we have:

- Support for ISO 15693 a.k.a. NFC vicinity a.k.a. Type 5 tags. ISO
  15693 are long range (1 - 2 meters) vicinity tags/cards. The kernel
  now supports those through the NFC netlink and digital APIs.

- Support for TI's trf7970a chipset. This chipset relies on the NFC
  digital layer and the driver currently supports type 2, 4A and 5 tags.

- Support for NXP's pn544 secure firmare download. The pn544 C3 chipsets
  relies on a different firmware download protocal than the C2 one. We
  now support both and use the right one depending on the version we
  detect at runtime.

- Support for 4A tags from the NFC digital layer.

- A bunch of cleanups and minor fixes from Axel Lin and Thierry Escande."

Signed-off-by: John W. Linville <linville@tuxdriver.com>
NFC: llcp: Use list_for_each_entry in nfc_llcp_find_local() 2014-03-14T19:19:08+00:00 Axel Lin axel.lin@ingics.com 2014-02-26T02:26:45+00:00 29e27dd86b5c4f8e6feb62d7b6a8491539ff1ef1 nfc_llcp_find_local() does not modify any list entry while iterating the list. So use list_for_each_entry instead of list_for_each_entry_safe. Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> 
nfc_llcp_find_local() does not modify any list entry while iterating the list.
So use list_for_each_entry instead of list_for_each_entry_safe.

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Move checking valid gb_len value to nfc_llcp_set_remote_gb 2014-03-14T19:19:08+00:00 Axel Lin axel.lin@ingics.com 2014-02-25T01:18:10+00:00 3143a4ca610d6a3de0d8814ee6f5f7da6fc7fbfa This checking is common for all caller, so move the checking to one place. Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> 
This checking is common for all caller, so move the checking to one place.

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Remove redundant test for dev->n_targets in nfc_find_target 2014-03-14T19:19:08+00:00 Axel Lin axel.lin@ingics.com 2014-02-24T13:04:30+00:00 365a721adbdfe5f6577a66b9b74c12dc98fbb4a3 Without this test, it returns NULL if dev->n_targets is 0 anyway. Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> 
Without this test, it returns NULL if dev->n_targets is 0 anyway.

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: digital: Rename Type V tags to Type 5 tags 2014-03-10T23:40:59+00:00 Mark A. Greer mgreer@animalcreek.com 2014-03-06T14:39:19+00:00 ceeee42d85b4c91b16b6019e69c584589b72be04 According to the latest draft specification from the NFC-V committee, ISO/IEC 15693 tags will be referred to as "Type 5" tags and not "Type V" tags anymore. Make the code reflect the new terminology. Signed-off-by: Mark A. Greer <mgreer@animalcreek.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> 
According to the latest draft specification from
the NFC-V committee, ISO/IEC 15693 tags will be
referred to as "Type 5" tags and not "Type V"
tags anymore.  Make the code reflect the new
terminology.

Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Use LIST_HEAD() at appropriate places 2014-02-23T22:34:09+00:00 Axel Lin axel.lin@ingics.com 2014-02-22T14:14:18+00:00 0b51fc5633df563695f5021bc121a9df20b3eb14 Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> 
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: digital: Use matching_[im|tm]_protocols to check with NFC protocols masks 2014-02-23T22:34:09+00:00 Axel Lin axel.lin@ingics.com 2014-02-22T02:16:11+00:00 4f913d4631fa9c47320669b2e7ec62fa7436719d This ensures we won't add polling function to the table of polling technologies for non-supported protocols. Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> 
This ensures we won't add polling function to the table of polling technologies
for non-supported protocols.

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: Use list_for_each_entry in nfc_find_se() 2014-02-23T22:32:18+00:00 Axel Lin axel.lin@ingics.com 2014-02-14T11:29:19+00:00 156cef80f2a1aea4f150dff5d990e8fbbd96d862 nfc_find_se() does not modify any list entry while iterating the list. So use list_for_each_entry instead of list_for_each_entry_safe. Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> 
nfc_find_se() does not modify any list entry while iterating the list.
So use list_for_each_entry instead of list_for_each_entry_safe.

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
NFC: NCI: Use reinit_completion() at appropriate places 2014-02-23T22:32:18+00:00 Axel Lin axel.lin@ingics.com 2014-02-13T05:25:48+00:00 9bec44bf0bcd623b5ea48ae1ce44205260ad4b77 Calling init_completion() once is enough. Then use reinit_completion() instead in __nci_request() and nci_spi_send(). Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> 
Calling init_completion() once is enough.
Then use reinit_completion() instead in __nci_request() and nci_spi_send().

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>