Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/nfc
History
Votokina Victoria c9efde1e53 nfc: hci: shdlc: Stop timers and work before freeing context 
llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc
structure while its timers and state machine work may still be active.

Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state
and the skb queues. If teardown happens in parallel with a queued/running
work item, it can lead to UAF and other shutdown races.

Stop all SHDLC timers and cancel sm_work synchronously before purging the
queues and freeing the context.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 4a61cd6687 ("NFC: Add an shdlc llc module to llc core")
Signed-off-by: Votokina Victoria <Victoria.Votokina@kaspersky.com>
Link: https://patch.msgid.link/20260203113158.2008723-1-Victoria.Votokina@kaspersky.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-02-05 18:46:20 -08:00
..
hci nfc: hci: shdlc: Stop timers and work before freeing context 2026-02-05 18:46:20 -08:00
nci nfc: nci: Fix race between rfkill and nci_unregister_device(). 2026-01-28 19:32:26 -08:00
Kconfig
Makefile
af_nfc.c
core.c nfc: nci: Fix race between rfkill and nci_unregister_device(). 2026-01-28 19:32:26 -08:00
digital.h
digital_core.c
digital_dep.c
digital_technology.c
llcp.h
llcp_commands.c nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). 2026-01-26 19:51:46 -08:00
llcp_core.c nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). 2026-01-26 19:51:46 -08:00
llcp_sock.c net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
netlink.c nfc: Remove checks for nla_data returning NULL 2025-06-18 14:17:32 -07:00
nfc.h
rawsock.c net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00