Re: [PATCH 2/2] nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()

Next message: Sean Christopherson: "Re: [PATCH 24/28] KVM: x86/mmu: hard code more bits in kvm_init_shadow_npt_mmu"
Previous message: Steven Price: "Re: [PATCH 04/10] drm/panthor: Extend the IRQ logic to allow fast/raw IRQ handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Fri May 01 2026 - 09:28:38 EST

On Wed, Apr 29, 2026 at 01:40:42PM +0000, Lee Jones wrote:
> A race condition exists in the NFC LLCP connection state machine where
> the connection acceptance packet (CC) can be processed concurrently with
> socket release. This can lead to a use-after-free of the socket object.
>
> When nfc_llcp_recv_cc() moves the socket from the connecting_sockets
> list to the sockets list, it does so without holding the socket lock.
> If llcp_sock_release() is executing concurrently, it might have already
> unlinked the socket and dropped its references, which can result in
> nfc_llcp_recv_cc() linking a freed socket into the live list.
>
> Fix this by holding lock_sock() during the state transition and list
> movement in nfc_llcp_recv_cc(). After acquiring the lock, check if
> the socket is still hashed to ensure it hasn't already been unlinked
> and marked for destruction by the release path. This aligns the locking
> pattern with recv_hdlc() and recv_disc().
>
> Fixes: a69f32af86e3 ("NFC: Socket linked list")
> Signed-off-by: Lee Jones <lee@xxxxxxxxxx>

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>

FTR, there is an AI generated review available for this patch on sashiko.dev.
I have looked over it and I believe it only covers pre-existing issues
and should not block progress of this patch.