* [PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock_release()
@ 2026-04-28 11:22 Lee Jones
0 siblings, 0 replies; only message in thread
From: Lee Jones @ 2026-04-28 11:22 UTC (permalink / raw)
To: lee, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Kees Cook, netdev, linux-kernel
llcp_sock_release() unconditionally unlinks the socket from the local
sockets list. However, if the socket is still in connecting state, it
is on the connecting list.
Fix this by checking the socket state and unlinking from the correct list.
Signed-off-by: Lee Jones <lee@kernel.org>
---
net/nfc/llcp_sock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index f1be1e84f6653..feab29fc62f44 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock)
if (sock->type == SOCK_RAW)
nfc_llcp_sock_unlink(&local->raw_sockets, sk);
+ else if (sk->sk_state == LLCP_CONNECTING)
+ nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
else
nfc_llcp_sock_unlink(&local->sockets, sk);
--
2.54.0.545.g6539524ca2-goog
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-04-28 11:23 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-28 11:22 [PATCH 1/1] nfc: llcp: fix use-after-free in llcp_sock_release() Lee Jones
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox