[PATCH v2 2/2] nfc: llcp: stop processing on LLCP_CLOSED in nfc_llcp_recv

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v2 2/2] nfc: llcp: stop processing on LLCP_CLOSED in nfc_llcp_recv_hdlc()
  2025-12-17 12:46 [PATCH v2 0/2] nfc: llcp: fix double put/unlock on LLCP_CLOSED in recv handlers Qianchang Zhao
@ 2025-12-17 12:46 ` Qianchang Zhao
  0 siblings, 0 replies; 5+ messages in thread
From: Qianchang Zhao @ 2025-12-17 12:46 UTC (permalink / raw)
  To: linux-nfc
  Cc: Krzysztof Kozlowski, Paolo Abeni, Jakub Kicinski, David S. Miller,
	Eric Dumazet, Simon Horman, netdev, linux-kernel, stable,
	Qianchang Zhao

nfc_llcp_sock_get() takes a reference on the LLCP socket via sock_hold().

In nfc_llcp_recv_hdlc(), the LLCP_CLOSED branch releases the socket lock and
drops the reference, but the function continues to operate on llcp_sock/sk and
later runs release_sock() and nfc_llcp_sock_put() again on the common exit path.

Return immediately after the CLOSED cleanup to avoid refcount/lock imbalance and
to avoid using the socket after dropping the reference.

Fixes: d646960f7986fefb460a2b062d5ccc8ccfeacc3a ("NFC: Initial LLCP support")
Cc: stable@vger.kernel.org
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
---
 net/nfc/llcp_core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index ed37604ed..f6c1d79f9 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1089,6 +1089,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
 	if (sk->sk_state == LLCP_CLOSED) {
 		release_sock(sk);
 		nfc_llcp_sock_put(llcp_sock);
+		return;
 	}
 
 	/* Pass the payload upstream */
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v2 0/2] nfc: llcp: fix double put/unlock on LLCP_CLOSED in recv handlers
@ 2025-12-17 12:57 Qianchang Zhao
  2025-12-17 12:57 ` [PATCH v2 1/2] nfc: llcp: avoid double release/put on LLCP_CLOSED in nfc_llcp_recv_disc() Qianchang Zhao
  2025-12-17 12:57 ` [PATCH v2 2/2] nfc: llcp: stop processing on LLCP_CLOSED in nfc_llcp_recv_hdlc() Qianchang Zhao
  0 siblings, 2 replies; 5+ messages in thread
From: Qianchang Zhao @ 2025-12-17 12:57 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, Krzysztof Kozlowski, Paolo Abeni, Jakub Kicinski,
	David S. Miller, Eric Dumazet, Simon Horman, stable,
	Qianchang Zhao

This series fixes a refcount/locking imbalance in NFC LLCP receive handlers
when the socket is already in LLCP_CLOSED.

nfc_llcp_recv_disc() used to perform release_sock()/nfc_llcp_sock_put() in the CLOSED
branch but did not exit, and then performed the same cleanup again on the common
exit path. Drop the redundant CLOSED-branch cleanup so the common exit path runs
it exactly once, while keeping the existing DM_DISC reply behavior.

nfc_llcp_recv_hdlc() performed the CLOSED cleanup but then continued processing
and later cleaned up again on the common exit path. Return immediately after the
CLOSED cleanup.

Changes in v2:
- Drop Reported-by tags
- Add missing Fixes tags

Build-tested with: make M=net/nfc (no NFC HW available for runtime testing).

Qianchang Zhao (2):
  nfc: llcp: avoid double release/put on LLCP_CLOSED in
    nfc_llcp_recv_disc()
  nfc: llcp: stop processing on LLCP_CLOSED in nfc_llcp_recv_hdlc()

 net/nfc/llcp_core.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

-- 
2.34.1

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2 1/2] nfc: llcp: avoid double release/put on LLCP_CLOSED in nfc_llcp_recv_disc()
  2025-12-17 12:57 [PATCH v2 0/2] nfc: llcp: fix double put/unlock on LLCP_CLOSED in recv handlers Qianchang Zhao
@ 2025-12-17 12:57 ` Qianchang Zhao
  2025-12-17 13:00   ` Krzysztof Kozlowski
  2025-12-17 12:57 ` [PATCH v2 2/2] nfc: llcp: stop processing on LLCP_CLOSED in nfc_llcp_recv_hdlc() Qianchang Zhao
  1 sibling, 1 reply; 5+ messages in thread
From: Qianchang Zhao @ 2025-12-17 12:57 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, Krzysztof Kozlowski, Paolo Abeni, Jakub Kicinski,
	David S. Miller, Eric Dumazet, Simon Horman, stable,
	Qianchang Zhao

nfc_llcp_sock_get() takes a reference on the LLCP socket via sock_hold().

In nfc_llcp_recv_disc(), when the socket is already in LLCP_CLOSED state, the
code used to perform release_sock() and nfc_llcp_sock_put() in the CLOSED branch
but then continued execution and later performed the same cleanup again on the
common exit path. This results in refcount imbalance (double put) and unbalanced
lock release.

Remove the redundant CLOSED-branch cleanup so that release_sock() and
nfc_llcp_sock_put() are performed exactly once via the common exit path, while
keeping the existing DM_DISC reply behavior.

Fixes: d646960f7986fefb460a2b062d5ccc8ccfeacc3a ("NFC: Initial LLCP support")
Cc: stable@vger.kernel.org
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
---
 net/nfc/llcp_core.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index beeb3b4d2..ed37604ed 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1177,11 +1177,6 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local,
 
 	nfc_llcp_socket_purge(llcp_sock);
 
-	if (sk->sk_state == LLCP_CLOSED) {
-		release_sock(sk);
-		nfc_llcp_sock_put(llcp_sock);
-	}
-
 	if (sk->sk_state == LLCP_CONNECTED) {
 		nfc_put_device(local->dev);
 		sk->sk_state = LLCP_CLOSED;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH v2 2/2] nfc: llcp: stop processing on LLCP_CLOSED in nfc_llcp_recv_hdlc()
  2025-12-17 12:57 [PATCH v2 0/2] nfc: llcp: fix double put/unlock on LLCP_CLOSED in recv handlers Qianchang Zhao
  2025-12-17 12:57 ` [PATCH v2 1/2] nfc: llcp: avoid double release/put on LLCP_CLOSED in nfc_llcp_recv_disc() Qianchang Zhao
@ 2025-12-17 12:57 ` Qianchang Zhao
  1 sibling, 0 replies; 5+ messages in thread
From: Qianchang Zhao @ 2025-12-17 12:57 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, Krzysztof Kozlowski, Paolo Abeni, Jakub Kicinski,
	David S. Miller, Eric Dumazet, Simon Horman, stable,
	Qianchang Zhao

nfc_llcp_sock_get() takes a reference on the LLCP socket via sock_hold().

In nfc_llcp_recv_hdlc(), the LLCP_CLOSED branch releases the socket lock and
drops the reference, but the function continues to operate on llcp_sock/sk and
later runs release_sock() and nfc_llcp_sock_put() again on the common exit path.

Return immediately after the CLOSED cleanup to avoid refcount/lock imbalance and
to avoid using the socket after dropping the reference.

Fixes: d646960f7986fefb460a2b062d5ccc8ccfeacc3a ("NFC: Initial LLCP support")
Cc: stable@vger.kernel.org
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
---
 net/nfc/llcp_core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
index ed37604ed..f6c1d79f9 100644
--- a/net/nfc/llcp_core.c
+++ b/net/nfc/llcp_core.c
@@ -1089,6 +1089,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
 	if (sk->sk_state == LLCP_CLOSED) {
 		release_sock(sk);
 		nfc_llcp_sock_put(llcp_sock);
+		return;
 	}
 
 	/* Pass the payload upstream */
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2 1/2] nfc: llcp: avoid double release/put on LLCP_CLOSED in nfc_llcp_recv_disc()
  2025-12-17 12:57 ` [PATCH v2 1/2] nfc: llcp: avoid double release/put on LLCP_CLOSED in nfc_llcp_recv_disc() Qianchang Zhao
@ 2025-12-17 13:00   ` Krzysztof Kozlowski
  0 siblings, 0 replies; 5+ messages in thread
From: Krzysztof Kozlowski @ 2025-12-17 13:00 UTC (permalink / raw)
  To: Qianchang Zhao, netdev
  Cc: linux-kernel, Paolo Abeni, Jakub Kicinski, David S. Miller,
	Eric Dumazet, Simon Horman, stable

On 17/12/2025 13:57, Qianchang Zhao wrote:
> nfc_llcp_sock_get() takes a reference on the LLCP socket via sock_hold().
> 
> In nfc_llcp_recv_disc(), when the socket is already in LLCP_CLOSED state, the
> code used to perform release_sock() and nfc_llcp_sock_put() in the CLOSED branch
> but then continued execution and later performed the same cleanup again on the
> common exit path. This results in refcount imbalance (double put) and unbalanced
> lock release.
> 
> Remove the redundant CLOSED-branch cleanup so that release_sock() and
> nfc_llcp_sock_put() are performed exactly once via the common exit path, while
> keeping the existing DM_DISC reply behavior.
> 
> Fixes: d646960f7986fefb460a2b062d5ccc8ccfeacc3a ("NFC: Initial LLCP support")
> Cc: stable@vger.kernel.org

NAK, stop sending the same again and again. Respond to previous emails.

Best regards,
Krzysztof

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-12-17 13:00 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-17 12:57 [PATCH v2 0/2] nfc: llcp: fix double put/unlock on LLCP_CLOSED in recv handlers Qianchang Zhao
2025-12-17 12:57 ` [PATCH v2 1/2] nfc: llcp: avoid double release/put on LLCP_CLOSED in nfc_llcp_recv_disc() Qianchang Zhao
2025-12-17 13:00   ` Krzysztof Kozlowski
2025-12-17 12:57 ` [PATCH v2 2/2] nfc: llcp: stop processing on LLCP_CLOSED in nfc_llcp_recv_hdlc() Qianchang Zhao
  -- strict thread matches above, loose matches on Subject: below --
2025-12-17 12:46 [PATCH v2 0/2] nfc: llcp: fix double put/unlock on LLCP_CLOSED in recv handlers Qianchang Zhao
2025-12-17 12:46 ` [PATCH v2 2/2] nfc: llcp: stop processing on LLCP_CLOSED in nfc_llcp_recv_hdlc() Qianchang Zhao

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).