git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jakub Kicinski <kuba@kernel.org>
	Tue, 3 Mar 2026 16:23:45 +0000 (08:23 -0800)
committer	Sasha Levin <sashal@kernel.org>
	Thu, 12 Mar 2026 11:09:57 +0000 (07:09 -0400)
commit	da4515fc8263c5933ed605e396af91079806dc45
tree	c48534fe9b2c0611891a05e42a49ccca7b14ca88	tree \| snapshot
parent	28c9be1ef8bb183e207978c487beafb3a99dafe4	commit \| diff

nfc: rawsock: cancel tx_work before socket teardown

[ Upstream commit d793458c45df2aed498d7f74145eab7ee22d25aa ]

In rawsock_release(), cancel any pending tx_work and purge the write
queue before orphaning the socket. rawsock_tx_work runs on the system
workqueue and calls nfc_data_exchange which dereferences the NCI
device. Without synchronization, tx_work can race with socket and
device teardown when a process is killed (e.g. by SIGKILL), leading
to use-after-free or leaked references.

Set SEND_SHUTDOWN first so that if tx_work is already running it will
see the flag and skip transmitting, then use cancel_work_sync to wait
for any in-progress execution to finish, and finally purge any
remaining queued skbs.

Fixes: 23b7869c0fd0 ("NFC: add the NFC socket raw protocol")
Reviewed-by: Joe Damato <joe@dama.to>
Link: https://patch.msgid.link/20260303162346.2071888-6-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>