From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B859C3F23AB; Wed, 29 Apr 2026 13:22:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468949; cv=none; b=h1YREqD/q1IZEF+4tEcVuiIxHLdj07xSeaOigS2d6DN3Buw8OnODx6TcX7hqtNumNFPcVpVvKLX9/sTZ9oVMksDF6/QualY72J8aDqUmWqWYg0z1q8t4KC4VaYCMBXL0YtJgjY2SjLOUqhzgvi6YSxFf8nfgjiXR+aamDQs5IQI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468949; c=relaxed/simple; bh=0q4Kb+0MtHIIchjg9qK9s2IuUDQ6rf+FF6oXl0WBVmY=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=t9e02iGA57dJOa99Owp1jLNWqv1dWFMyi2w++q6yzTQad+Z6iPoLodXij4baskonbvE1XzrG+I64NvMWJJ6zMQh0OKlsj6cAGmLZtdxgLXJnyt0ae3e93R/JtIYK4q7yljUh0W+K182ZkCIDprDiD/BMe25uhtIiqLmSoXbTuFE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=GIoD06gR; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="GIoD06gR" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CB103C19425; Wed, 29 Apr 2026 13:22:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777468949; bh=0q4Kb+0MtHIIchjg9qK9s2IuUDQ6rf+FF6oXl0WBVmY=; h=From:To:Subject:Date:From; b=GIoD06gRdm6t/17QcjvIQ1PqvZOIfpf1Sh8/UIkzYtRzmgYHoIYe+PETjvlFoMekA nAiT1SUMXdL+ITGT2ym2wDSgo00EgabvZmuEW2qK/a1GLvqgpsXU0y028PJ62cqZtj v0nuz1tYmh5Ud294f8eNXJ7VU8/5bWNnddF0FDz7nF+PuVr3EKa156US+bO5Pv+QwA 06My+oMY2kVXjUBenZ/6I23uIwaCW34H3DTkE7P8GcgsSBHSFsMuGgdYUGgkpY460y aobYYVFRsuOBTNZuxwBO5Ugz5IVN3JzXLnGczofCUpsgTjK9DL1Uy7k+CKi5QyzkD8 IZcliNk3Fs28Q== From: Lee Jones To: lee@kernel.org, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Kees Cook , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock_release() Date: Wed, 29 Apr 2026 13:22:11 +0000 Message-ID: <20260429132218.3548644-1-lee@kernel.org> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit llcp_sock_release() unconditionally unlinks the socket from the local sockets list. However, if the socket is still in connecting state, it is on the connecting list. Fix this by checking the socket state and unlinking from the correct list. Signed-off-by: Lee Jones --- net/nfc/llcp_sock.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index f1be1e84f6653..feab29fc62f44 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock) if (sock->type == SOCK_RAW) nfc_llcp_sock_unlink(&local->raw_sockets, sk); + else if (sk->sk_state == LLCP_CONNECTING) + nfc_llcp_sock_unlink(&local->connecting_sockets, sk); else nfc_llcp_sock_unlink(&local->sockets, sk); -- 2.54.0.545.g6539524ca2-goog