tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

nfc: hci: shdlc: Stop timers and work before freeing context

llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc
structure while its timers and state machine work may still be active.

Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state
and the skb queues. If teardown happens in parallel with a queued/running
work item, it can lead to UAF and other shutdown races.

Stop all SHDLC timers and cancel sm_work synchronously before purging the
queues and freeing the context.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 4a61cd6687fc ("NFC: Add an shdlc llc module to llc core")
Signed-off-by: Votokina Victoria <Victoria.Votokina@kaspersky.com>
Link: https://patch.msgid.link/20260203113158.2008723-1-Victoria.Votokina@kaspersky.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Votokina Victoria and committed by
Jakub Kicinski c9efde1e e1aa5ef8

+8
+8
net/nfc/hci/llc_shdlc.c
··· 762 762 { 763 763 struct llc_shdlc *shdlc = nfc_llc_get_data(llc); 764 764 765 + timer_shutdown_sync(&shdlc->connect_timer); 766 + timer_shutdown_sync(&shdlc->t1_timer); 767 + timer_shutdown_sync(&shdlc->t2_timer); 768 + shdlc->t1_active = false; 769 + shdlc->t2_active = false; 770 + 771 + cancel_work_sync(&shdlc->sm_work); 772 + 765 773 skb_queue_purge(&shdlc->rcv_q); 766 774 skb_queue_purge(&shdlc->send_q); 767 775 skb_queue_purge(&shdlc->ack_pending_q);