From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DDF113FE679; Wed, 29 Apr 2026 13:41:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777470087; cv=none; b=S46PBr3P5YmtkCgo+mxSpOZNRoz68YsL4uzqRoi7UkKrfbijkDqX3PbBzpc0fS0dpWgs5qpyN78A2JzaEcb0uizdTZwqmvA/t7kao+2rueYHD1ieJPUbFof8ceNc4ccfdimiquxwR7IRhrz4B4FsBtSNywIeyzCfl+gkbZ/gKC4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777470087; c=relaxed/simple; bh=6qVBw+qijd7XVzvR3Xnu65hZ0rQAq36blwUtnK/Jsw0=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=SBoWOXxXAgaWaC9ZMEWVi7uCs7BZ3WzPl/N3ODcbMFd5+LvDZN7PGB8zBBMxNpAcjy3Bhjr2WaH8KmbSHwKJ0nmCy57SwjtzaxvOcNK5JW9rx7UBA9WiaXU3dajrY0Z0nYlQ/tIJKNVBsTf1C3kLEzQBzvlW0hFfgi95/UQHOd8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ETvtwjyb; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ETvtwjyb" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D9821C19425; Wed, 29 Apr 2026 13:41:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777470085; bh=6qVBw+qijd7XVzvR3Xnu65hZ0rQAq36blwUtnK/Jsw0=; h=From:To:Subject:Date:From; b=ETvtwjyblx0po7cmwlprHAn7K/Az2f9nEJJn1602l1Yh35wJCYtU/jZWfTjqUyDn5 OCq6D8wL9YgKwXS7kNzdw7imvuDHu63B1Szc8W9XIU7SgiitWK5UzroyklVDrockY1 r3bctaSAKD85NZpIjSB6MxR/ttyE21NOBFujAKalg+5FCPkOj/ienVJhiIxcTnyvna wsD1szex3mEi1IfYMJVtQrMfbg7l9K4s6e/PS/4VtopxcGoVZ4U53WEIq4LtcmtWFh dR71l1TlggDVccWkHvpVeY9lC3A/+sBcHRIgv8kHCD7pisFMJiymAHvO+Qn/PDcNHu aHa7noNyQk8ag== From: Lee Jones To: lee@kernel.org, "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Kuniyuki Iwashima , Kees Cook , Junxi Qian , Ingo Molnar , Samuel Ortiz , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] nfc: llcp: Fix use-after-free in llcp_sock_release() Date: Wed, 29 Apr 2026 13:40:41 +0000 Message-ID: <20260429134115.3558604-1-lee@kernel.org> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit llcp_sock_release() unconditionally unlinks the socket from the local sockets list. However, if the socket is still in connecting state, it is on the connecting list. Fix this by checking the socket state and unlinking from the correct list. Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") Signed-off-by: Lee Jones --- net/nfc/llcp_sock.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index f1be1e84f6653..feab29fc62f44 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -633,6 +633,8 @@ static int llcp_sock_release(struct socket *sock) if (sock->type == SOCK_RAW) nfc_llcp_sock_unlink(&local->raw_sockets, sk); + else if (sk->sk_state == LLCP_CONNECTING) + nfc_llcp_sock_unlink(&local->connecting_sockets, sk); else nfc_llcp_sock_unlink(&local->sockets, sk); -- 2.54.0.545.g6539524ca2-goog