On 27/02/2023 16:05, Fedor Pchelkin wrote:

quoted

quoted

Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation")
Reported-by: syzbot+df64c0a2e8d68e78a4fa@syzkaller.appspotmail.com
Signed-off-by: Fedor Pchelkin <redacted>
Signed-off-by: Alexey Khoroshilov <redacted>

SoB order is a bit odd. Who is the author?

The author is me (Fedor). I thought the authorship is expressed with the
first Signed-off-by line, isn't it?

Yes and since you are sending it, then what is Alexey's Sob for? The
tags are in order...

quoted

quoted

---
 drivers/nfc/st-nci/se.c   | 6 ++++++
 drivers/nfc/st21nfca/se.c | 6 ++++++
 net/nfc/netlink.c         | 4 ++++
 3 files changed, 16 insertions(+)

diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
index ec87dd21e054..b2f1ced8e6dd 100644
--- a/drivers/nfc/st-nci/se.c
+++ b/drivers/nfc/st-nci/se.c

@@ -672,6 +672,12 @@ int st_nci_se_io(struct nci_dev *ndev, u32 se_idx,
 					ST_NCI_EVT_TRANSMIT_DATA, apdu,
 					apdu_length)

nci_hci_send_event() should also free it in its error paths.
nci_data_exchange_complete() as well? Who eventually frees it? These
might be separate patches.

nci_hci_send_event(), as I can see, should not free the callback context.
I should have probably better explained that in the commit info (will
include this in the patch v2), but the main thing is: nfc_se_io() is
called with se_io_cb callback function as an argument and that callback is 
the exact place where an allocated se_io_ctx context should be freed. And
it is actually freed there unless some error path happens that leads the

Exactly, so why nci_hci_send_event() error path should not free it?

timer which triggers this se_io_cb callback not to be charged at all.

Best regards,
Krzysztof