From: Simon Horman <horms@kernel.org>
To: sam@bynar.io
Cc: Simon Horman <horms@kernel.org>,
david@ixit.cz, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, oe-linux-nfc@lists.linux.dev,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH net] nfc: nci: fix uninit-value in the RF discover/activated NTF handlers
Date: Thu, 25 Jun 2026 10:18:29 +0100 [thread overview]
Message-ID: <20260625091828.1170615-2-horms@kernel.org> (raw)
In-Reply-To: <20260623234126.214667-1-sam@bynar.io>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://netdev-ai.bots.linux.dev/sashiko/
---
nfc: nci: fix uninit-value in the RF discover/activated NTF handlers
This zero-initialises the on-stack nci_rf_discover_ntf and
nci_rf_intf_activated_ntf structs in the RF discover and interface
activated NTF handlers so that the technology- and activation-specific
unions read back as zero when the corresponding length fields are zero.
Link: https://lore.kernel.org/netdev/20260623172109.1105965-2-horms@kernel.org/
> - activated: with rf_tech_specific_params_len == 0 the same union is read
> via nci_target_auto_activated(); with activation_params_len == 0 the
> activation_params union is read by nci_store_ats_nfc_iso_dep() into
> ndev->target_ats.
[Low]
Does the third scenario in this paragraph match the code?
Looking at nci_store_ats_nfc_iso_dep():
static int nci_store_ats_nfc_iso_dep(struct nci_dev *ndev,
const struct nci_rf_intf_activated_ntf *ntf)
{
ndev->target_ats_len = 0;
if (ntf->activation_params_len <= 0)
return NCI_STATUS_OK;
if (ntf->activation_params.nfca_poll_iso_dep.rats_res_len > NFC_ATS_MAXSIZE) {
...
The function returns NCI_STATUS_OK before any access to the
activation_params union when activation_params_len is 0, so the union
is not read in that case.
The sibling nci_store_general_bytes_nfc_dep() has the same early return
on activation_params_len <= 0.
The two rf_tech_specific_params_len == 0 cases listed earlier in the
commit message do match the code (nci_add_new_protocol() and
nci_target_auto_activated() unconditionally pass
&ntf.rf_tech_specific_params even when rf_tech_specific_params_len is
0), and the KMSAN trace quoted in the commit message only mentions the
nci_add_new_protocol() path.
The ntf = {} change still looks correct and necessary for the
rf_tech_specific_params union. Could the third bullet be dropped or
adjusted so the commit message reflects only the paths that actually
read uninitialised bytes?
next prev parent reply other threads:[~2026-06-25 9:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 23:41 [PATCH net] nfc: nci: fix uninit-value in the RF discover/activated NTF handlers Samuel Page
2026-06-25 9:18 ` Simon Horman [this message]
2026-06-25 10:04 ` Sam P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625091828.1170615-2-horms@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=david@ixit.cz \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oe-linux-nfc@lists.linux.dev \
--cc=pabeni@redhat.com \
--cc=sam@bynar.io \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.