--- /dev/null
+From f10f48b7faffd49b71f57136c74e78144f3c2f18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Mar 2022 20:25:22 +0100
+Subject: nfc: llcp: protect nfc_llcp_sock_unlink() calls
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit a06b8044169f6d5c3eb34772c13d2c0c1b205352 ]
+
+nfc_llcp_sock_link() is called in all paths (bind/connect) as a last
+action, still protected with lock_sock(). When cleaning up in
+llcp_sock_release(), call nfc_llcp_sock_unlink() in a mirrored way:
+earlier and still under the lock_sock().
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: f4268b466190 ("nfc: llcp: Fix use-after-free in llcp_sock_release()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_sock.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
+index 6e1fba2084930e..dc96d751eb278f 100644
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -626,6 +626,11 @@ static int llcp_sock_release(struct socket *sock)
+ }
+ }
+
++ if (sock->type == SOCK_RAW)
++ nfc_llcp_sock_unlink(&local->raw_sockets, sk);
++ else
++ nfc_llcp_sock_unlink(&local->sockets, sk);
++
+ if (llcp_sock->reserved_ssap < LLCP_SAP_MAX)
+ nfc_llcp_put_ssap(llcp_sock->local, llcp_sock->ssap);
+
+@@ -638,11 +643,6 @@ static int llcp_sock_release(struct socket *sock)
+ if (sk->sk_state == LLCP_DISCONNECTING)
+ return err;
+
+- if (sock->type == SOCK_RAW)
+- nfc_llcp_sock_unlink(&local->raw_sockets, sk);
+- else
+- nfc_llcp_sock_unlink(&local->sockets, sk);
+-
+ out:
+ sock_orphan(sk);
+ sock_put(sk);
+--
+2.53.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
