[syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    89748acdf226 Merge tag 'drm-next-2025-08-01' of https://gi..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=165cfcf0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7ff65239b4835001
dashboard link: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b88042580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=115cfcf0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ce090dd92dc2/disk-89748acd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/32b5903a7759/vmlinux-89748acd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dc68a867773d/bzImage-89748acd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in nci_init_req net/nfc/nci/core.c:177 [inline]
BUG: KMSAN: uninit-value in __nci_request net/nfc/nci/core.c:108 [inline]
BUG: KMSAN: uninit-value in nci_open_device net/nfc/nci/core.c:521 [inline]
BUG: KMSAN: uninit-value in nci_dev_up+0x13a2/0x1ba0 net/nfc/nci/core.c:632
 nci_init_req net/nfc/nci/core.c:177 [inline]
 __nci_request net/nfc/nci/core.c:108 [inline]
 nci_open_device net/nfc/nci/core.c:521 [inline]
 nci_dev_up+0x13a2/0x1ba0 net/nfc/nci/core.c:632
 nfc_dev_up+0x201/0x3d0 net/nfc/core.c:118
 nfc_genl_dev_up+0xe9/0x1c0 net/nfc/netlink.c:775
 genl_family_rcv_msg_doit+0x335/0x3f0 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0xacf/0xc10 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x54a/0x680 net/netlink/af_netlink.c:2552
 genl_rcv+0x41/0x60 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x333/0x3d0 net/socket.c:729
 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2614
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2703
 x64_sys_call+0x1dfd/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 6169 at kernel/stacktrace.c:29 stack_trace_print+0xd4/0xf0 kernel/stacktrace.c:29
Modules linked in:
CPU: 1 UID: 0 PID: 6169 Comm: syz-executor421 Not tainted 6.16.0-syzkaller-10499-g89748acdf226 #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:stack_trace_print+0xd4/0xf0 kernel/stacktrace.c:29
Code: 8f bc 03 92 89 de ba 20 00 00 00 4c 89 e1 e8 c3 5d 4d ff 49 83 c6 08 49 ff cd 0f 85 6e ff ff ff eb 0b e8 ff 26 c3 00 eb d4 90 <0f> 0b 90 5b 41 5c 41 5d 41 5e 41 5f 5d e9 9a 33 07 0f cc 66 0f 1f
RSP: 0018:ffff8881343b31c8 EFLAGS: 00010246
RAX: ffff888114afac20 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881343b31f0 R08: 0000000000000000 R09: 0000000000000000
R10: ffff888133bb3208 R11: 0000000000000001 R12: 0000000000000000
R13: 00000000abcd0100 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f0c264ae6c0(0000) GS:ffff8881aa9a5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0c26531650 CR3: 00000001193c6000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 kmsan_print_origin+0xb0/0x340 mm/kmsan/report.c:133
 kmsan_report+0x1d3/0x320 mm/kmsan/report.c:196
 __msan_warning+0x1b/0x30 mm/kmsan/instrumentation.c:315
 nci_init_req net/nfc/nci/core.c:177 [inline]
 __nci_request net/nfc/nci/core.c:108 [inline]
 nci_open_device net/nfc/nci/core.c:521 [inline]
 nci_dev_up+0x13a2/0x1ba0 net/nfc/nci/core.c:632
 nfc_dev_up+0x201/0x3d0 net/nfc/core.c:118
 nfc_genl_dev_up+0xe9/0x1c0 net/nfc/netlink.c:775
 genl_family_rcv_msg_doit+0x335/0x3f0 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0xacf/0xc10 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x54a/0x680 net/netlink/af_netlink.c:2552
 genl_rcv+0x41/0x60 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x333/0x3d0 net/socket.c:729
 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2614
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2703
 x64_sys_call+0x1dfd/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0c264f62c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0c264ae218 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f0c2657f368 RCX: 00007f0c264f62c9
RDX: 0000000000000000 RSI: 0000200000000140 RDI: 0000000000000004
RBP: 00007f0c2657f360 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0c2654c074
R13: 0000200000000150 R14: 00002000000000c0 R15: 0000200000000300
 </TASK>
---[ end trace 0000000000000000 ]---

Uninit was stored to memory at:
 nci_core_reset_ntf_packet net/nfc/nci/ntf.c:36 [inline]
 nci_ntf_packet+0x179d/0x42b0 net/nfc/nci/ntf.c:812
 nci_rx_work+0x403/0x750 net/nfc/nci/core.c:1555
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xb8e/0x1d80 kernel/workqueue.c:3319
 worker_thread+0xedf/0x1590 kernel/workqueue.c:3400
 kthread+0xd5c/0xf00 kernel/kthread.c:464
 ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4186 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4281
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:578
 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:669
 alloc_skb include/linux/skbuff.h:1336 [inline]
 virtual_ncidev_write+0x6b/0x430 drivers/nfc/virtual_ncidev.c:120
 vfs_write+0x463/0x1580 fs/read_write.c:684
 ksys_write fs/read_write.c:738 [inline]
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
 x64_sys_call+0x3014/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 6169 Comm: syz-executor421 Tainted: G        W           6.16.0-syzkaller-10499-g89748acdf226 #0 PREEMPT(none) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: deepak.takumi.120@gmail.com

#syz test

Forwarded: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)
Author: deepak.takumi.120@gmail.com

#syz test

On Wed, Sep 17, 2025 at 6:40 PM Cortex Auth <deepak.takumi.120@gmail.com> wrote:
>
>

Forwarded: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)
Author: deepak.takumi.120@gmail.com

#syz test

On Wed, Sep 17, 2025 at 7:25 PM syzbot
<syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
> Tested-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
>
> Tested on:
>
> commit:         5aca7966 Merge tag 'perf-tools-fixes-for-v6.17-2025-09..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14cd8c7c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1b093ccee5a9e08c
> dashboard link: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=13dfaf62580000
>
> Note: testing is done by a robot and is best-effort only.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/68cabdb6.050a0220.3c6139.0fa6.GAE%40google.com.

Forwarded: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)
Author: deepak.takumi.120@gmail.com

#syz test

On Thu, Sep 18, 2025 at 11:29 PM syzbot
<syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
> Tested-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
>
> Tested on:
>
> commit:         86cc796e Merge tag 'for-linus' of git://git.kernel.org..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d94712580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1b093ccee5a9e08c
> dashboard link: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=162bdf62580000
>
> Note: testing is done by a robot and is best-effort only.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/68cc4866.050a0220.28a605.000a.GAE%40google.com.

Forwarded: Re: [PATCH net v6] net: nfc: nci: Fix parameter validation for packet data

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [PATCH net v6] net: nfc: nci: Fix parameter validation for packet data
Author: krzk@kernel.org

On 18/02/2026 09:30, Michael Thalmeier wrote:
> Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for
> packet data") communication with nci nfc chips is not working any more.
> 
> The mentioned commit tries to fix access of uninitialized data, but
> failed to understand that in some cases the data packet is of variable
> length and can therefore not be compared to the maximum packet length
> given by the sizeof(struct).
> 
> Fixes: 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data")

Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8

#syz unfix

> Cc: stable@vger.kernel.org
> Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at>
> ---
> v6:
> - use ssize_t for data_len parameter to guard against underflows
> - omit unneeded data_len decrements at the end of the functions
> 
> v5:
> - also check helper functions in nci_extract_rf_params_nfcf_passive_listen
>   and nci_rf_discover_ntf_packet
> 
> v4:
> - formatting fixes
> 
> v3:
> - perform complete checks
> - replace magic numbers with offsetofend and sizeof
> 
> v2:
> - Reference correct commit hash
> 
> ---
>  net/nfc/nci/ntf.c | 159 ++++++++++++++++++++++++++++++++++++++++------
>  1 file changed, 141 insertions(+), 18 deletions(-)
> 
> diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
> index 418b84e2b260..c96512bb8653 100644
> --- a/net/nfc/nci/ntf.c
> +++ b/net/nfc/nci/ntf.c
> @@ -58,7 +58,7 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
>  	struct nci_conn_info *conn_info;
>  	int i;
>  
> -	if (skb->len < sizeof(struct nci_core_conn_credit_ntf))
> +	if (skb->len < offsetofend(struct nci_core_conn_credit_ntf, num_entries))
>  		return -EINVAL;
>  
>  	ntf = (struct nci_core_conn_credit_ntf *)skb->data;
> @@ -68,6 +68,10 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
>  	if (ntf->num_entries > NCI_MAX_NUM_CONN)
>  		ntf->num_entries = NCI_MAX_NUM_CONN;
>  
> +	if (skb->len < offsetofend(struct nci_core_conn_credit_ntf, num_entries) +
> +			ntf->num_entries * sizeof(struct conn_credit_entry))
> +		return -EINVAL;
> +
>  	/* update the credits */
>  	for (i = 0; i < ntf->num_entries; i++) {
>  		ntf->conn_entries[i].conn_id =
> @@ -138,23 +142,48 @@ static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev,
>  static const __u8 *
>  nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
>  					struct rf_tech_specific_params_nfca_poll *nfca_poll,
> -					const __u8 *data)
> +					const __u8 *data, ssize_t data_len)
>  {
> +	/* Check if we have enough data for sens_res (2 bytes) */
> +	if (data_len < 2)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfca_poll->sens_res = __le16_to_cpu(*((__le16 *)data));
>  	data += 2;
> +	data_len -= 2;
> +
> +	/* Check if we have enough data for nfcid1_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
>  
>  	nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
> +	data_len--;
>  
>  	pr_debug("sens_res 0x%x, nfcid1_len %d\n",
>  		 nfca_poll->sens_res, nfca_poll->nfcid1_len);
>  
> +	/* Check if we have enough data for nfcid1 */
> +	if (data_len < nfca_poll->nfcid1_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfca_poll->nfcid1, data, nfca_poll->nfcid1_len);
>  	data += nfca_poll->nfcid1_len;
> +	data_len -= nfca_poll->nfcid1_len;
> +
> +	/* Check if we have enough data for sel_res_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
>  
>  	nfca_poll->sel_res_len = *data++;
> +	data_len--;
> +
> +	if (nfca_poll->sel_res_len != 0) {
> +		/* Check if we have enough data for sel_res (1 byte) */
> +		if (data_len < 1)
> +			return ERR_PTR(-EINVAL);
>  
> -	if (nfca_poll->sel_res_len != 0)
>  		nfca_poll->sel_res = *data++;
> +	}
>  
>  	pr_debug("sel_res_len %d, sel_res 0x%x\n",
>  		 nfca_poll->sel_res_len,
> @@ -166,12 +195,21 @@ nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
>  static const __u8 *
>  nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev,
>  					struct rf_tech_specific_params_nfcb_poll *nfcb_poll,
> -					const __u8 *data)
> +					const __u8 *data, ssize_t data_len)
>  {
> +	/* Check if we have enough data for sensb_res_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE);
> +	data_len--;
>  
>  	pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len);
>  
> +	/* Check if we have enough data for sensb_res */
> +	if (data_len < nfcb_poll->sensb_res_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfcb_poll->sensb_res, data, nfcb_poll->sensb_res_len);
>  	data += nfcb_poll->sensb_res_len;
>  
> @@ -181,14 +219,29 @@ nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev,
>  static const __u8 *
>  nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev,
>  					struct rf_tech_specific_params_nfcf_poll *nfcf_poll,
> -					const __u8 *data)
> +					const __u8 *data, ssize_t data_len)
>  {
> +	/* Check if we have enough data for bit_rate (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcf_poll->bit_rate = *data++;
> +	data_len--;
> +
> +	/* Check if we have enough data for sensf_res_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE);
> +	data_len--;
>  
>  	pr_debug("bit_rate %d, sensf_res_len %d\n",
>  		 nfcf_poll->bit_rate, nfcf_poll->sensf_res_len);
>  
> +	/* Check if we have enough data for sensf_res */
> +	if (data_len < nfcf_poll->sensf_res_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfcf_poll->sensf_res, data, nfcf_poll->sensf_res_len);
>  	data += nfcf_poll->sensf_res_len;
>  
> @@ -198,22 +251,49 @@ nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev,
>  static const __u8 *
>  nci_extract_rf_params_nfcv_passive_poll(struct nci_dev *ndev,
>  					struct rf_tech_specific_params_nfcv_poll *nfcv_poll,
> -					const __u8 *data)
> +					const __u8 *data, ssize_t data_len)
>  {
> +	/* Skip 1 byte (reserved) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	++data;
> +	data_len--;
> +
> +	/* Check if we have enough data for dsfid (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcv_poll->dsfid = *data++;
> +	data_len--;
> +
> +	/* Check if we have enough data for uid (8 bytes) */
> +	if (data_len < NFC_ISO15693_UID_MAXSIZE)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfcv_poll->uid, data, NFC_ISO15693_UID_MAXSIZE);
>  	data += NFC_ISO15693_UID_MAXSIZE;
> +
>  	return data;
>  }
>  
>  static const __u8 *
>  nci_extract_rf_params_nfcf_passive_listen(struct nci_dev *ndev,
>  					  struct rf_tech_specific_params_nfcf_listen *nfcf_listen,
> -					  const __u8 *data)
> +					  const __u8 *data, ssize_t data_len)
>  {
> +	/* Check if we have enough data for local_nfcid2_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcf_listen->local_nfcid2_len = min_t(__u8, *data++,
>  					      NFC_NFCID2_MAXSIZE);
> +	data_len--;
> +
> +	/* Check if we have enough data for local_nfcid2 */
> +	if (data_len < nfcf_listen->local_nfcid2_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfcf_listen->local_nfcid2, data, nfcf_listen->local_nfcid2_len);
>  	data += nfcf_listen->local_nfcid2_len;
>  
> @@ -364,7 +444,7 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
>  	const __u8 *data;
>  	bool add_target = true;
>  
> -	if (skb->len < sizeof(struct nci_rf_discover_ntf))
> +	if (skb->len < offsetofend(struct nci_rf_discover_ntf, rf_tech_specific_params_len))
>  		return -EINVAL;
>  
>  	data = skb->data;
> @@ -380,26 +460,42 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
>  	pr_debug("rf_tech_specific_params_len %d\n",
>  		 ntf.rf_tech_specific_params_len);
>  
> +	if (skb->len < (data - skb->data) +
> +			ntf.rf_tech_specific_params_len + sizeof(ntf.ntf_type))
> +		return -EINVAL;
> +
>  	if (ntf.rf_tech_specific_params_len > 0) {
>  		switch (ntf.rf_tech_and_mode) {
>  		case NCI_NFC_A_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfca_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfca_poll), data);
> +				&(ntf.rf_tech_specific_params.nfca_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return PTR_ERR(data);
>  			break;
>  
>  		case NCI_NFC_B_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcb_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcb_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcb_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return PTR_ERR(data);
>  			break;
>  
>  		case NCI_NFC_F_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcf_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcf_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcf_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return PTR_ERR(data);
>  			break;
>  
>  		case NCI_NFC_V_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcv_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcv_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcv_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return PTR_ERR(data);
>  			break;
>  
>  		default:
> @@ -596,7 +692,7 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  	const __u8 *data;
>  	int err = NCI_STATUS_OK;
>  
> -	if (skb->len < sizeof(struct nci_rf_intf_activated_ntf))
> +	if (skb->len < offsetofend(struct nci_rf_intf_activated_ntf, rf_tech_specific_params_len))
>  		return -EINVAL;
>  
>  	data = skb->data;
> @@ -628,26 +724,41 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  	if (ntf.rf_interface == NCI_RF_INTERFACE_NFCEE_DIRECT)
>  		goto listen;
>  
> +	if (skb->len < (data - skb->data) + ntf.rf_tech_specific_params_len)
> +		return -EINVAL;
> +
>  	if (ntf.rf_tech_specific_params_len > 0) {
>  		switch (ntf.activation_rf_tech_and_mode) {
>  		case NCI_NFC_A_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfca_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfca_poll), data);
> +				&(ntf.rf_tech_specific_params.nfca_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		case NCI_NFC_B_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcb_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcb_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcb_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		case NCI_NFC_F_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcf_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcf_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcf_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		case NCI_NFC_V_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcv_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcv_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcv_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		case NCI_NFC_A_PASSIVE_LISTEN_MODE:
> @@ -657,7 +768,9 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  		case NCI_NFC_F_PASSIVE_LISTEN_MODE:
>  			data = nci_extract_rf_params_nfcf_passive_listen(ndev,
>  				&(ntf.rf_tech_specific_params.nfcf_listen),
> -				data);
> +				data, ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		default:
> @@ -668,6 +781,13 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  		}
>  	}
>  
> +	if (skb->len < (data - skb->data) +
> +			sizeof(ntf.data_exch_rf_tech_and_mode) +
> +			sizeof(ntf.data_exch_tx_bit_rate) +
> +			sizeof(ntf.data_exch_rx_bit_rate) +
> +			sizeof(ntf.activation_params_len))
> +		return -EINVAL;
> +
>  	ntf.data_exch_rf_tech_and_mode = *data++;
>  	ntf.data_exch_tx_bit_rate = *data++;
>  	ntf.data_exch_rx_bit_rate = *data++;
> @@ -679,6 +799,9 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  	pr_debug("data_exch_rx_bit_rate 0x%x\n", ntf.data_exch_rx_bit_rate);
>  	pr_debug("activation_params_len %d\n", ntf.activation_params_len);
>  
> +	if (skb->len < (data - skb->data) + ntf.activation_params_len)
> +		return -EINVAL;
> +
>  	if (ntf.activation_params_len > 0) {
>  		switch (ntf.rf_interface) {
>  		case NCI_RF_INTERFACE_ISO_DEP:


Best regards,
Krzysztof