Re: [PATCH net v2] nfc: nci: fix uninit-value in the RF discover/activated NTF handlers

[David Heidelberg]

On 26/06/2026 11:03, Samuel Page wrote:
> nci_rf_discover_ntf_packet() and nci_rf_intf_activated_ntf_packet() each
> parse a notification into an on-stack struct (nci_rf_discover_ntf /
> nci_rf_intf_activated_ntf) that is not initialised. The RF
> technology-specific parameters are only extracted when
> rf_tech_specific_params_len is non-zero, so a notification that reports a
> zero length leaves the rf_tech_specific_params union uninitialised - and
> both handlers then pass it to nci_add_new_protocol(), which reads it:
>
>   - discover:  nci_add_new_target() -> nci_add_new_protocol();
>   - activated: nci_target_auto_activated() -> nci_add_new_protocol().
>
> nci_add_new_protocol() uses nfca_poll->nfcid1_len as both a branch
> condition and a memcpy() length and copies nfcid1/sens_res/sel_res into
> ndev->targets, which is later exposed to user space via NFC_CMD_GET_TARGET.
>
>    BUG: KMSAN: uninit-value in nci_add_new_protocol+0x624/0x6c0
>     nci_add_new_protocol+0x624/0x6c0
>     nci_ntf_packet+0x25b2/0x3c30
>     nci_rx_work+0x318/0x5d0
>     process_scheduled_works+0x84b/0x17a0
>     worker_thread+0xc10/0x11b0
>     kthread+0x376/0x500
>    Local variable ntf.i created at:
>     nci_ntf_packet+0xbc2/0x3c30
>
> Zero-initialise both on-stack notifications so the union reads back as
> zero when no technology-specific parameters are present.
>
> Fixes: 019c4fbaa790 ("NFC: Add NCI multiple targets support")
> Fixes: e8c0dacd9836 ("NFC: Update names and structs to NCI spec 1.0 d18")
> Link: https://lore.kernel.org/netdev/20260623172109.1105965-2-horms@xxxxxxxxxx/
> Cc: stable@xxxxxxxxxxxxxxx
> Assisted-by: Bynario AI

Hello Samuel,

the fix look good, may I ask you to follow the Assisted-by syntax as requested 
in [1]?

Thank you
David

[1] https://docs.kernel.org/process/coding-assistants.html

> Signed-off-by: Samuel Page <sam@xxxxxxxx>
> ---
> v2: Drop the inaccurate activation_params / NFC_ATTR_TARGET_ATS scenario
>      from the commit message. No code change; the ntf = {} fix is unchanged.
>
>   net/nfc/nci/ntf.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)

[...]