linux/net/nfc
Fedor Pchelkin bfb007aebe nfc: nci: free rx_data_reassembly skb on NCI device cleanup
rx_data_reassembly skb is stored during NCI data exchange for processing
fragmented packets. It is dropped only when the last fragment is processed
or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.
However, the NCI device may be deallocated before that which leads to skb
leak.

As by design the rx_data_reassembly skb is bound to the NCI device and
nothing prevents the device to be freed before the skb is processed in
some way and cleaned, free it on the NCI device cleanup.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 6a2968aaf5 ("NFC: basic NCI protocol implementation")
Cc: stable@vger.kernel.org
Reported-by: syzbot+6b7c68d9c21e4ee4251b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/000000000000f43987060043da7b@google.com/
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
2024-01-29 12:05:31 +00:00
..
hci NFC: hci: Split memcpy() of struct hcp_message flexible array 2022-09-27 07:45:18 -07:00
nci nfc: nci: free rx_data_reassembly skb on NCI device cleanup 2024-01-29 12:05:31 +00:00
af_nfc.c nfc: fix error handling of nfc_proto_register() 2021-10-13 17:32:38 -07:00
core.c net: nfc: Directly use ida_alloc()/free() 2022-05-28 15:28:47 +01:00
digital_core.c net: fill in MODULE_DESCRIPTION()s for NFC 2024-01-11 16:16:08 -08:00
digital_dep.c net:nfc:digital: Fix a double free in digital_tg_recv_dep_req 2021-04-27 15:36:10 -07:00
digital_technology.c NFC: digital: fix possible memory leak in digital_in_send_sdd_req() 2021-10-13 17:44:29 -07:00
digital.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
Kconfig net: remove redundant 'depends on NET' 2021-01-27 17:04:12 -08:00
llcp_commands.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-06-27 09:45:22 -07:00
llcp_core.c nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local 2023-12-25 07:29:04 +00:00
llcp_sock.c nfc: Do not send datagram if socket state isn't LLCP_BOUND 2023-12-25 07:29:04 +00:00
llcp.h net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-06-26 10:57:23 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netlink.c genetlink: use attrs from struct genl_info 2023-08-15 15:00:45 -07:00
nfc.h net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-06-26 10:57:23 +01:00
rawsock.c nfc: Add KCOV annotations 2022-11-02 11:58:13 +00:00