From: Simon Horman <horms@kernel.org>
To: "Lekë Hapçiu" <snowwlake@icloud.com>
Cc: netdev@vger.kernel.org, linux-nfc@lists.01.org,
davem@davemloft.net, kuba@kernel.org,
krzysztof.kozlowski@linaro.org, stable@vger.kernel.org
Subject: Re: [PATCH] nfc: llcp: fix missing return after LLCP_CLOSED check in recv_hdlc and recv_disc
Date: Thu, 9 Apr 2026 17:45:27 +0100 [thread overview]
Message-ID: <20260409164527.GP469338@kernel.org> (raw)
In-Reply-To: <20260405164158.1344049-1-snowwlake@icloud.com>
On Sun, Apr 05, 2026 at 06:41:58PM +0200, Lekë Hapçiu wrote:
> From: Lekë Hapçiu <framemain@outlook.com>
>
> nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() both call
> nfc_llcp_sock_get() (which increments the socket reference count) and
> lock_sock() before processing incoming PDUs. When the socket is found
> to be in state LLCP_CLOSED both functions correctly call release_sock()
> and nfc_llcp_sock_put() to undo those operations, but are missing a
> return statement:
>
> lock_sock(sk);
> if (sk->sk_state == LLCP_CLOSED) {
> release_sock(sk);
> nfc_llcp_sock_put(llcp_sock);
> /* ← return missing */
> }
> /* Falls through with lock released and reference dropped */
> ...
> release_sock(sk); /* double unlock */
> nfc_llcp_sock_put(llcp_sock); /* double put → refcount underflow */
>
> The fall-through causes three independent bugs:
>
> 1. Use-after-free: all llcp_sock field accesses after the LLCP_CLOSED
> block occur with the socket lock released and the reference dropped;
> another CPU may free the socket concurrently.
>
> 2. Double release_sock: sk_lock.owned is already 0 — LOCKDEP reports
> "WARNING: suspicious unlock balance detected".
>
> 3. Double nfc_llcp_sock_put: the refcount is decremented a second time
> at the end of the function, potentially driving it below zero
> (refcount_t underflow), corrupting the SLUB freelist and causing a
> subsequent use-after-free or double-free.
>
> Both functions are reachable from any NFC P2P peer within physical
> proximity (~4 cm) without hostile NFCC firmware:
> - nfc_llcp_recv_hdlc: triggered by sending an LLCP I, RR, or RNR PDU
> to a SAP pair whose connection has been torn down.
> - nfc_llcp_recv_disc: triggered by sending an LLCP DISC PDU to a SAP
> pair that is already in LLCP_CLOSED state.
>
> Fix: add the missing return statement in both functions so that the
> LLCP_CLOSED branch exits after cleanup.
>
> Fixes: Introduced with nfc_llcp_recv_hdlc / nfc_llcp_recv_disc
> Signed-off-by: Lekë Hapçiu <framemain@outlook.com>
Curiously this seems to duplicate this patch:
- [PATCH net] nfc: llcp: add missing return after LLCP_CLOSED checks
https://lore.kernel.org/all/20260408081006.3723-1-qjx1298677004@gmail.com/
--
pw-bot: changes-requested
next prev parent reply other threads:[~2026-04-09 16:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-05 16:41 [PATCH] nfc: llcp: fix missing return after LLCP_CLOSED check in recv_hdlc and recv_disc Lekë Hapçiu
2026-04-09 16:45 ` Simon Horman [this message]
2026-04-09 19:34 ` Lekë Hapçiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409164527.GP469338@kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=krzysztof.kozlowski@linaro.org \
--cc=kuba@kernel.org \
--cc=linux-nfc@lists.01.org \
--cc=netdev@vger.kernel.org \
--cc=snowwlake@icloud.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.