[REGRESSION] NFC broken on Thinkpad T14 Gen since 9c328f5

[REGRESSION] NFC broken on Thinkpad T14 Gen since 9c328f5

[Lukas K.]

Hi All,

from 6.17.2 to 6.17.3, the integrated NFC reader (driver: nxp-nci_i2c) 
in the Thinkpad T14 Gen 4 (AMD) stopped detecting tags. This can be 
tested by running

sudo nfctool -1 -p -d nfc0

Looking at the commits between 6.17.2 and 6.17.3, 9c328f5 (net: nfc: 
nci: Add parameter validation for packet data) was the only one related 
to NFC.

To see if that commit indeed was the culprit, I reverted it on 6.18.7 
and nfctool is detecting tags again.

Since the offending commit merely adds some bounds checks, the root 
cause may very well be in another driver in the NFC stack.

Best Regards,

Lukas

Re: [REGRESSION] NFC broken on Thinkpad T14 Gen since 9c328f5

[Thorsten Leemhuis]

On 2/6/26 16:15, Lukas K. wrote:
> 
> from 6.17.2 to 6.17.3, the integrated NFC reader (driver: nxp-nci_i2c)
> in the Thinkpad T14 Gen 4 (AMD) stopped detecting tags. This can be
> tested by running
> 
> sudo nfctool -1 -p -d nfc0
> 
> Looking at the commits between 6.17.2 and 6.17.3, 9c328f5 (net: nfc:
> nci: Add parameter validation for packet data) was the only one related
> to NFC.
> 
> To see if that commit indeed was the culprit, I reverted it on 6.18.7
> and nfctool is detecting tags again.
> 
> Since the offending commit merely adds some bounds checks, the root
> cause may very well be in another driver in the NFC stack.

Thx for the report. Seems Michael (now CCed) also ran into problems and
tried to fix them, but looks like that effort stalled; but might be good
to know if this fixes your problem, too:

https://lore.kernel.org/all/20260112124819.171028-1-michael.thalmeier@hale.at/

Anyway: Given that the regressions seems to be known for a weeks now
without a fix forthcoming I wonder if we should revert the culprit, as
we are way past what Linus wants to see in a situation like this (see
the "within a week" part in
https://lore.kernel.org/all/CAHk-=wi86AosXs66-yi54+mpQjPu0upxB8ZAfG+LsMyJmcuMSA@mail.gmail.com/
).

Ciao, Thorsten

Re: [REGRESSION] NFC broken on Thinkpad T14 Gen since 9c328f5

[Lukas K.]

On 06.02.26 17:24, Thorsten Leemhuis wrote:
> On 2/6/26 16:15, Lukas K. wrote:
>>
>> from 6.17.2 to 6.17.3, the integrated NFC reader (driver: nxp-nci_i2c)
>> in the Thinkpad T14 Gen 4 (AMD) stopped detecting tags. This can be
>> tested by running
>>
>> sudo nfctool -1 -p -d nfc0
>>
>> Looking at the commits between 6.17.2 and 6.17.3, 9c328f5 (net: nfc:
>> nci: Add parameter validation for packet data) was the only one related
>> to NFC.
>>
>> To see if that commit indeed was the culprit, I reverted it on 6.18.7
>> and nfctool is detecting tags again.
>>
>> Since the offending commit merely adds some bounds checks, the root
>> cause may very well be in another driver in the NFC stack.
> 
> Thx for the report. Seems Michael (now CCed) also ran into problems and
> tried to fix them, but looks like that effort stalled; but might be good
> to know if this fixes your problem, too:
> 
> https://lore.kernel.org/all/20260112124819.171028-1-michael.thalmeier@hale.at/

Hi Thorsten,

thanks for the pointer. Tried the patch you linked to and it works for me.

Don't know how to reply to the linked mail as I'm new to LKML, but one 
thing caught my eye:

 > static const __u8 *
 > nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
 >                                        struct 
rf_tech_specific_params_nfca_poll *nfca_poll,
 >-                                       const __u8 *data)
 >+                                       const __u8 *data, size_t data_len)
 > {
 >+       /* Check if we have enough data for sens_res (2 bytes) */
 >+       if (data_len < 2)
 >+               return ERR_PTR(-EINVAL);
 >+
 >        nfca_poll->sens_res = __le16_to_cpu(*((__le16 *)data));
 >        data += 2;
 >+       data_len -= 2;
 >+
 >+       /* Check if we have enough data for nfcid1_len (1 byte) */
 >+       if (data_len < 1)
 >+               return ERR_PTR(-EINVAL);

If data_len underflows at any point it'll wrap to some large value and 
the less than comparisons will yield an incorrect result. Using ssize_t 
should fix that.

Best Regards,

Lukas

Re: [REGRESSION] NFC broken on Thinkpad T14 Gen since 9c328f5

[Andrew Lunn]

On Sat, Feb 07, 2026 at 01:25:29AM +0100, Lukas K. wrote:
> On 06.02.26 17:24, Thorsten Leemhuis wrote:
> > On 2/6/26 16:15, Lukas K. wrote:
> > > 
> > > from 6.17.2 to 6.17.3, the integrated NFC reader (driver: nxp-nci_i2c)
> > > in the Thinkpad T14 Gen 4 (AMD) stopped detecting tags. This can be
> > > tested by running
> > > 
> > > sudo nfctool -1 -p -d nfc0
> > > 
> > > Looking at the commits between 6.17.2 and 6.17.3, 9c328f5 (net: nfc:
> > > nci: Add parameter validation for packet data) was the only one related
> > > to NFC.
> > > 
> > > To see if that commit indeed was the culprit, I reverted it on 6.18.7
> > > and nfctool is detecting tags again.
> > > 
> > > Since the offending commit merely adds some bounds checks, the root
> > > cause may very well be in another driver in the NFC stack.
> > 
> > Thx for the report. Seems Michael (now CCed) also ran into problems and
> > tried to fix them, but looks like that effort stalled; but might be good
> > to know if this fixes your problem, too:
> > 
> > https://lore.kernel.org/all/20260112124819.171028-1-michael.thalmeier@hale.at/
> 
> Hi Thorsten,
> 
> thanks for the pointer. Tried the patch you linked to and it works for me.
> 
> Don't know how to reply to the linked mail as I'm new to LKML, but one thing
> caught my eye:

If you look at the page you will see:

Message-ID: <20260112124819.171028-1-michael.thalmeier@hale.at>

You can take the message ID and give it to b4:

$ b4 mbox 20260112124819.171028-1-michael.thalmeier@hale.at
Looking up https://lore.kernel.org/r/20260112124819.171028-1-michael.thalmeier%40hale.at
Grabbing thread from lore.kernel.org/all
2 messages in the thread
Saved ./20260112124819.171028-1-michael.thalmeier@hale.at.mbx

You can then open
20260112124819.171028-1-michael.thalmeier@hale.at.mbx in a mail client
as a mailbox and hit group reply to one of the messages.

    Andrew

Re: [REGRESSION] NFC broken on Thinkpad T14 Gen since 9c328f5

[Jakub Kicinski]

On Sat, 7 Feb 2026 01:25:29 +0100 Lukas K. wrote:
>  > static const __u8 *
>  > nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
>  >                                        struct rf_tech_specific_params_nfca_poll *nfca_poll,
>  >-                                       const __u8 *data)
>  >+                                       const __u8 *data, size_t data_len)
>  > {
>  >+       /* Check if we have enough data for sens_res (2 bytes) */
>  >+       if (data_len < 2)
>  >+               return ERR_PTR(-EINVAL);
>  >+
>  >        nfca_poll->sens_res = __le16_to_cpu(*((__le16 *)data));
>  >        data += 2;
>  >+       data_len -= 2;
>  >+
>  >+       /* Check if we have enough data for nfcid1_len (1 byte) */
>  >+       if (data_len < 1)
>  >+               return ERR_PTR(-EINVAL);  
> 
> If data_len underflows at any point it'll wrap to some large value and 
> the less than comparisons will yield an incorrect result. Using ssize_t 
> should fix that.

Could you make this modification and repost the patch?

Keep the original author, since Michael wrote most of the code,
just add your Signed-off-by at the end.