From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BED5D1ADC83 for ; Sat, 20 Jun 2026 09:29:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781947763; cv=none; b=IorND7TbMdpOxa5iDD4fjI/W37VCn+Mw7RXQQgnJ9GgebkGrYSH0IYUC55KsOeFQUxPMyKGEVrBh4L8TzjXX2CF2EDbUFUEOkQkuPbN8xu9vWo0KChX9Iz8JbCbplHl0+yCgrWv3rZ4rcLwpvuWc9IuGKh+Rj98reLcruR07NY8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781947763; c=relaxed/simple; bh=5APvOQGjBXdDnIo4nhOU+JqLJI07zTuCW2waT0JM4lY=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=sAJhvgvLzAc8VZcuWK6w9zGuRdxbNIsOlSPfvZdrqmypUo15TPMMHug3p8tKvtEO7d49XGLKlBIbXUKCWDoR0f7YYMKzBSOxLBpHPr+OYzKXhH0OfQ5EBJB74Fmhcs37sF9epiyhl+GFQs7xso1QUtUXLwXTc0aZPvd6CMzs3ho= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZCRTghDU; arc=none smtp.client-ip=209.85.128.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZCRTghDU" Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-490cf322ed0so20715025e9.1 for ; Sat, 20 Jun 2026 02:29:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781947760; x=1782552560; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=3G7AUd5H2ycf67BaRCEhRwe9JqDuDQY8lDx0k8sMpCM=; b=ZCRTghDUuZAPU1FrQTp7UbR0QkBJAbCzeenXF1xqpORz+jtn+HLfGUBWTYM2b44Vt3 u0+2GctwQkmdy0Gmk6Ou+6zSEg0dBi0VG6U3UfzAl4yGt2ThcP167lUtwmF/72sMrzpE qtb4KeGHWCVmn+EMIMM1Fs/nx5IEbBcVzFxpB9lRANy8z8iQzUJa0QpHGKbn9e/KEJL9 lW9yvtoktEpIEcVJPzOxoVfiClrW6y0kGksLjjJm+MksdDT+zvCk8A1All7Wb13ObWkB VZ2ZFkIlOd6l0YWU1gLqe06Jlj0XEWr7q3uWRfRX5/ncX3Sf3fEEVRfBr/Q2BHjr49qb Nxow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781947760; x=1782552560; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3G7AUd5H2ycf67BaRCEhRwe9JqDuDQY8lDx0k8sMpCM=; b=NDs9BREGZuZIdAegXynQyhWC3KLiu0+NLhOQXy6wM8VnijbG3RSjvXbf57ast2gtOq TzFkGK4F+SbXyIIGJMWYz9dRSfXMDuk6Mm2tdCmE+6jGNpNslgbJhrqCG4u62YdWZsTE ALo2kCNISsf4ZouTML+JXD4cw6x+aEBuMEF35uBtqPR9Htisd/E0y/COKjR5H2G2CvJ2 DUJn51Q2Mbc27evNMmVQqk0AEffbs/Wj2EMqj/GH/J39llGRAZNDNic3BIHPDs8fhftN JuQoERPifjcYD2U7/Sgy5Ufpn5OzUJJOMH06oAcJPI/JWJteA/5dfdUrzRf3XTZIUZEf OZwA== X-Forwarded-Encrypted: i=1; AFNElJ/7osB+ihajfDnpCU7sK1XCL8BamKh1CEa8np1vJN4enmmIhYMd0rijlswZJPCyPPwtkLQnK5d8TZTMPIM=@vger.kernel.org X-Gm-Message-State: AOJu0YyP3xJwj0spI6pHwEnkYSh3GH0UYMfrWvRKAIdc/layL00u9kro 9iocVvMb5g6hyP2km7DzWOQom7Mvidw5F2IAUxjpmJMrHfEA6y2zG8tm X-Gm-Gg: AfdE7ckueIq80iKkCm4K8/05+HMnO9vvsc3MdHAbI+6tYC1uLvIxVh/Q/YL3C1IdpZm 7/6GDOOSEqc2RJjm+USNqsGd1W/vWZGK8H06uAX5XoCa6n73Xcm2Xb4jq2q9Xpi24mrJGfFbQzA NpxN6TDrwww49oKiRey9YPYDszoKig98oHRr47en03mlrtQsTIPQEua1THkpDOtJVA/we8umvNL sjoYVMtSx6RixEK62avC2r5PN6DlW1v3AtT+1qVXwIgR59rB6PLyD42cjqKNT/s6l4GlgSwjJ6a ohJGWU+7FXyvcxtG58zyZYPDh8B6yymFf0IlbR0cliTiHKkBaB0rMUHlf2NTI0xQ+jCDD9YVN9k Texh23w6qnMx1b3YLVAPquJ2/qxK+rO5BOw8aPxqWjiMsqyMxBOCEzY2Am7Qf3vdbFHWkUYtoe9 Qr5KAX4U5Ki25d0DzrhAtGStZ5ucn2LCBaZL5uwNt8P5OgdsipO4dZXHX6KbFo X-Received: by 2002:a05:600c:45d5:b0:490:bb3e:30c2 with SMTP id 5b1f17b1804b1-4923f56c0bbmr114244515e9.18.1781947759946; Sat, 20 Jun 2026 02:29:19 -0700 (PDT) Received: from pumpkin (82-69-66-36.dsl.in-addr.zen.co.uk. [82.69.66.36]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-466667881bfsm6721948f8f.22.2026.06.20.02.29.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 20 Jun 2026 02:29:19 -0700 (PDT) Date: Sat, 20 Jun 2026 10:29:18 +0100 From: David Laight To: Runyu Xiao Cc: Krzysztof Kozlowski , netdev@vger.kernel.org, Samuel Ortiz , Christophe Ricard , linux-kernel@vger.kernel.org, Jianhao Xu , stable@vger.kernel.org Subject: Re: [PATCH net] nfc: st-nci: use unaligned accessors for frame length Message-ID: <20260620102918.7f3e0eb9@pumpkin> In-Reply-To: <20260620090536.1701282-1-runyu.xiao@seu.edu.cn> References: <20260620090536.1701282-1-runyu.xiao@seu.edu.cn> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; arm-unknown-linux-gnueabihf) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sat, 20 Jun 2026 17:05:36 +0800 Runyu Xiao wrote: > The ST NCI I2C and SPI transports parse a frame length from bytes > received from the controller. Both paths first read the frame header into > a local u8 buffer and then cast buf + 2 to __be16 * before converting it > from big endian. Then align the local buffer. David > > These are transport byte buffers, not __be16 objects. Use > get_unaligned_be16() for the NCI frame length field in both the I2C and > SPI transports. > > This issue was detected by our static analysis tool and confirmed by > manual audit. A focused UBSAN alignment validation kept the original > access shape, be16_to_cpu(*(__be16 *)(buf + 2)), and ran it on an NCI > frame byte buffer with buf + 2 at an odd address. UBSAN reported a > misaligned-access load of type '__be16', and the trace contained > st_nci_i2c_read(). > > The driver has the same source-level issue: the transport helpers fill > u8 buffers, and the length checks only prove that the bytes are present. > They do not establish a __be16 object at buf + 2 or a 2-byte alignment > guarantee before the typed load. > > Fixes: ed06aeefdac3 ("nfc: st-nci: Rename st21nfcb to st-nci") > Fixes: 2bc4d4f8c8f3 ("nfc: st-nci: Add spi phy support for st21nfcb") > Cc: stable@vger.kernel.org > Signed-off-by: Runyu Xiao > --- > drivers/nfc/st-nci/i2c.c | 3 ++- > drivers/nfc/st-nci/spi.c | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/nfc/st-nci/i2c.c b/drivers/nfc/st-nci/i2c.c > index 9ae839a6f5cc..29fdb4ae56e0 100644 > --- a/drivers/nfc/st-nci/i2c.c > +++ b/drivers/nfc/st-nci/i2c.c > @@ -14,6 +14,7 @@ > #include > #include > #include > +#include > > #include "st-nci.h" > > @@ -120,7 +121,7 @@ static int st_nci_i2c_read(struct st_nci_i2c_phy *phy, > if (r != ST_NCI_I2C_MIN_SIZE) > return -EREMOTEIO; > > - len = be16_to_cpu(*(__be16 *) (buf + 2)); > + len = get_unaligned_be16(buf + 2); > if (len > ST_NCI_I2C_MAX_SIZE) { > nfc_err(&client->dev, "invalid frame len\n"); > return -EBADMSG; > diff --git a/drivers/nfc/st-nci/spi.c b/drivers/nfc/st-nci/spi.c > index 169eacc0a32a..1326c20e43fc 100644 > --- a/drivers/nfc/st-nci/spi.c > +++ b/drivers/nfc/st-nci/spi.c > @@ -14,6 +14,7 @@ > #include > #include > #include > +#include > #include > > #include "st-nci.h" > @@ -130,7 +131,7 @@ static int st_nci_spi_read(struct st_nci_spi_phy *phy, > if (r < 0) > return -EREMOTEIO; > > - len = be16_to_cpu(*(__be16 *) (buf + 2)); > + len = get_unaligned_be16(buf + 2); > if (len > ST_NCI_SPI_MAX_SIZE) { > nfc_err(&dev->dev, "invalid frame len\n"); > phy->ndlc->hard_fault = 1;