From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 19 Jun 2026 09:53:47 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v5.10.259~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d6a4b5ab791949da0afecb2932f350358b43b30;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	nfc-llcp-protect-nfc_llcp_sock_unlink-calls.patch
---

diff --git a/queue-5.15/nfc-llcp-protect-nfc_llcp_sock_unlink-calls.patch b/queue-5.15/nfc-llcp-protect-nfc_llcp_sock_unlink-calls.patch
new file mode 100644
index 0000000000..5cf14bd2ed
--- /dev/null
+++ b/queue-5.15/nfc-llcp-protect-nfc_llcp_sock_unlink-calls.patch
@@ -0,0 +1,53 @@
+From f10f48b7faffd49b71f57136c74e78144f3c2f18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Mar 2022 20:25:22 +0100
+Subject: nfc: llcp: protect nfc_llcp_sock_unlink() calls
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit a06b8044169f6d5c3eb34772c13d2c0c1b205352 ]
+
+nfc_llcp_sock_link() is called in all paths (bind/connect) as a last
+action, still protected with lock_sock().  When cleaning up in
+llcp_sock_release(), call nfc_llcp_sock_unlink() in a mirrored way:
+earlier and still under the lock_sock().
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: f4268b466190 ("nfc: llcp: Fix use-after-free in llcp_sock_release()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_sock.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
+index 6e1fba2084930e..dc96d751eb278f 100644
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -626,6 +626,11 @@ static int llcp_sock_release(struct socket *sock)
+ 		}
+ 	}
+ 
++	if (sock->type == SOCK_RAW)
++		nfc_llcp_sock_unlink(&local->raw_sockets, sk);
++	else
++		nfc_llcp_sock_unlink(&local->sockets, sk);
++
+ 	if (llcp_sock->reserved_ssap < LLCP_SAP_MAX)
+ 		nfc_llcp_put_ssap(llcp_sock->local, llcp_sock->ssap);
+ 
+@@ -638,11 +643,6 @@ static int llcp_sock_release(struct socket *sock)
+ 	if (sk->sk_state == LLCP_DISCONNECTING)
+ 		return err;
+ 
+-	if (sock->type == SOCK_RAW)
+-		nfc_llcp_sock_unlink(&local->raw_sockets, sk);
+-	else
+-		nfc_llcp_sock_unlink(&local->sockets, sk);
+-
+ out:
+ 	sock_orphan(sk);
+ 	sock_put(sk);
+-- 
+2.53.0
+
diff --git a/queue-5.15/series b/queue-5.15/series
index 13280126c8..ef8a8ce98d 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -407,3 +407,4 @@ ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch
 batman-adv-tp_meter-fix-race-condition-in-send-error-reporting.patch
 batman-adv-tp_meter-avoid-role-confusion-in-tp_list.patch
 netfilter-require-ethernet-mac-header-before-using-e.patch
+nfc-llcp-protect-nfc_llcp_sock_unlink-calls.patch