diff mbox series

[net] nfc: nci: free rx_data_reassembly skb on NCI device cleanup

Message ID 20240125095310.15738-1-pchelkin@ispras.ru (mailing list archive)
State Accepted
Commit bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c
Delegated to: Netdev Maintainers
Headers show
Series [net] nfc: nci: free rx_data_reassembly skb on NCI device cleanup | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success SINGLE THREAD; Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1065 this patch: 1065
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 0 of 0 maintainers
netdev/build_clang success Errors and warnings before: 1081 this patch: 1081
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1082 this patch: 1082
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-01-27--15-00 (tests: 614)

Commit Message

Fedor Pchelkin Jan. 25, 2024, 9:53 a.m. UTC 
rx_data_reassembly skb is stored during NCI data exchange for processing
fragmented packets. It is dropped only when the last fragment is processed
or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.
However, the NCI device may be deallocated before that which leads to skb
leak.

As by design the rx_data_reassembly skb is bound to the NCI device and
nothing prevents the device to be freed before the skb is processed in
some way and cleaned, free it on the NCI device cleanup.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
Cc: stable@vger.kernel.org
Reported-by: syzbot+6b7c68d9c21e4ee4251b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/000000000000f43987060043da7b@google.com/
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
 net/nfc/nci/core.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org Jan. 29, 2024, 12:10 p.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:

On Thu, 25 Jan 2024 12:53:09 +0300 you wrote:
> rx_data_reassembly skb is stored during NCI data exchange for processing
> fragmented packets. It is dropped only when the last fragment is processed
> or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.
> However, the NCI device may be deallocated before that which leads to skb
> leak.
> 
> As by design the rx_data_reassembly skb is bound to the NCI device and
> nothing prevents the device to be freed before the skb is processed in
> some way and cleaned, free it on the NCI device cleanup.
> 
> [...]

Here is the summary with links:
  - [net] nfc: nci: free rx_data_reassembly skb on NCI device cleanup
    https://git.kernel.org/netdev/net/c/bfb007aebe6b

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 97348cedb16b..cdad47b140fa 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -1208,6 +1208,10 @@  void nci_free_device(struct nci_dev *ndev)
 {
 	nfc_free_device(ndev->nfc_dev);
 	nci_hci_deallocate(ndev);
+
+	/* drop partial rx data packet if present */
+	if (ndev->rx_data_reassembly)
+		kfree_skb(ndev->rx_data_reassembly);
 	kfree(ndev);
 }
 EXPORT_SYMBOL(nci_free_device);