[PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock_release()
@ 2026-04-28 11:22 Lee Jones
  0 siblings, 0 replies; 5+ messages in thread
From: Lee Jones @ 2026-04-28 11:22 UTC (permalink / raw)
  To: lee, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Kees Cook, netdev, linux-kernel

llcp_sock_release() unconditionally unlinks the socket from the local
sockets list.  However, if the socket is still in connecting state, it
is on the connecting list.

Fix this by checking the socket state and unlinking from the correct list.

Signed-off-by: Lee Jones <lee@kernel.org>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index f1be1e84f6653..feab29fc62f44 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock)
 
 	if (sock->type == SOCK_RAW)
 		nfc_llcp_sock_unlink(&local->raw_sockets, sk);
+	else if (sk->sk_state == LLCP_CONNECTING)
+		nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
 	else
 		nfc_llcp_sock_unlink(&local->sockets, sk);
 
-- 
2.54.0.545.g6539524ca2-goog


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock_release()
@ 2026-04-29 13:22 Lee Jones
  2026-04-29 13:26 ` Eric Dumazet
  0 siblings, 1 reply; 5+ messages in thread
From: Lee Jones @ 2026-04-29 13:22 UTC (permalink / raw)
  To: lee, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Simon Horman, Kees Cook, netdev, linux-kernel

llcp_sock_release() unconditionally unlinks the socket from the local
sockets list.  However, if the socket is still in connecting state, it
is on the connecting list.

Fix this by checking the socket state and unlinking from the correct list.

Signed-off-by: Lee Jones <lee@kernel.org>
---
 net/nfc/llcp_sock.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index f1be1e84f6653..feab29fc62f44 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock)
 
 	if (sock->type == SOCK_RAW)
 		nfc_llcp_sock_unlink(&local->raw_sockets, sk);
+	else if (sk->sk_state == LLCP_CONNECTING)
+		nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
 	else
 		nfc_llcp_sock_unlink(&local->sockets, sk);
 
-- 
2.54.0.545.g6539524ca2-goog


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock_release()
  2026-04-29 13:22 Lee Jones
@ 2026-04-29 13:26 ` Eric Dumazet
  2026-04-29 13:37   ` Lee Jones
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Dumazet @ 2026-04-29 13:26 UTC (permalink / raw)
  To: Lee Jones
  Cc: David S. Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
	Kees Cook, netdev, linux-kernel

On Wed, Apr 29, 2026 at 6:22 AM Lee Jones <lee@kernel.org> wrote:
>
> llcp_sock_release() unconditionally unlinks the socket from the local
> sockets list.  However, if the socket is still in connecting state, it
> is on the connecting list.
>
> Fix this by checking the socket state and unlinking from the correct list.
>
> Signed-off-by: Lee Jones <lee@kernel.org>
> ---
>  net/nfc/llcp_sock.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
> index f1be1e84f6653..feab29fc62f44 100644
> --- a/net/nfc/llcp_sock.c
> +++ b/net/nfc/llcp_sock.c
> @@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock)
>
>         if (sock->type == SOCK_RAW)
>                 nfc_llcp_sock_unlink(&local->raw_sockets, sk);
> +       else if (sk->sk_state == LLCP_CONNECTING)
> +               nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
>         else
>                 nfc_llcp_sock_unlink(&local->sockets, sk);
>
> --
> 2.54.0.545.g6539524ca2-goog
>

Why are you sending this patch a second time?

You forgot to add a Fixes: tag, as requested for all networking patches.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock_release()
  2026-04-29 13:26 ` Eric Dumazet
@ 2026-04-29 13:37   ` Lee Jones
  2026-04-29 13:39     ` Eric Dumazet
  0 siblings, 1 reply; 5+ messages in thread
From: Lee Jones @ 2026-04-29 13:37 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: David S. Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
	Kees Cook, netdev, linux-kernel

On Wed, 29 Apr 2026, Eric Dumazet wrote:

> On Wed, Apr 29, 2026 at 6:22 AM Lee Jones <lee@kernel.org> wrote:
> >
> > llcp_sock_release() unconditionally unlinks the socket from the local
> > sockets list.  However, if the socket is still in connecting state, it
> > is on the connecting list.
> >
> > Fix this by checking the socket state and unlinking from the correct list.
> >
> > Signed-off-by: Lee Jones <lee@kernel.org>
> > ---
> >  net/nfc/llcp_sock.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
> > index f1be1e84f6653..feab29fc62f44 100644
> > --- a/net/nfc/llcp_sock.c
> > +++ b/net/nfc/llcp_sock.c
> > @@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock)
> >
> >         if (sock->type == SOCK_RAW)
> >                 nfc_llcp_sock_unlink(&local->raw_sockets, sk);
> > +       else if (sk->sk_state == LLCP_CONNECTING)
> > +               nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
> >         else
> >                 nfc_llcp_sock_unlink(&local->sockets, sk);
> >
> > --
> > 2.54.0.545.g6539524ca2-goog
> >
> 
> Why are you sending this patch a second time?

Because I am a dunce and forgot to clear out my send cache before
sending a related but different patch.

> You forgot to add a Fixes: tag, as requested for all networking patches.

No problem.  Please ignore both of these and I'll follow-up with a
coherent set with `Fixes:` tags applied.

-- 
Lee Jones

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock_release()
  2026-04-29 13:37   ` Lee Jones
@ 2026-04-29 13:39     ` Eric Dumazet
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Dumazet @ 2026-04-29 13:39 UTC (permalink / raw)
  To: Lee Jones
  Cc: David S. Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
	Kees Cook, netdev, linux-kernel

On Wed, Apr 29, 2026 at 6:37 AM Lee Jones <lee@kernel.org> wrote:
>

> No problem.  Please ignore both of these and I'll follow-up with a
> coherent set with `Fixes:` tags applied.

Thanks a lot!

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-04-29 13:39 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-28 11:22 [PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock_release() Lee Jones
  -- strict thread matches above, loose matches on Subject: below --
2026-04-29 13:22 Lee Jones
2026-04-29 13:26 ` Eric Dumazet
2026-04-29 13:37   ` Lee Jones
2026-04-29 13:39     ` Eric Dumazet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox