From nobody Sun May 24 20:35:29 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B7D73DA5C6; Thu, 21 May 2026 14:33:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779374028; cv=none; b=P78HX/Jq0xQHG5V6Z5E4Lb279i5VmffmVCUoYFKCEpxxLhs7fCxiMzc1REL/vFckaxC5HhJz8wF8wQcpxaglIk/58leLA6C4vKe+iU+bC/fEqK3InaBkcDmpKSkn+oE2y4ECNx0WEGdPU8ttu1PNkjhbb8k6xaLgRoYrrfjzqOI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779374028; c=relaxed/simple; bh=zLImAfFYBeTQ4EkEKo30JAeP4QYaGpHkek8WKQtNjGM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=n9YQ4elBk4yga5/JDg0E0AtpwflOoCTu/IFNJyHT4Ghy3VRkZu9gxsJC4+zvB3rwVJKlCJhgnFN9fCSg9oUHKLAAtvaoLFdfGrUpNeReBZxcNax6FWQz8SevkFpa7xnbrekch/c6jVKyzirxokCcuBvXlfQ8PWXpmwLbxR7TLcQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=Gwwj2U47; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="Gwwj2U47" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=J8IffOJp/qAmmLiO0T0WEwL08jhozAnVQTub9WB6NDI=; b=Gwwj2U47ALr+TJGRDfVpkRVsK7 i/ipxLrLtFkLxQso4V6PEDwMO8z271HbpUmDkGAtlQic3C7qDAn8ZqGD5wDrn0wHTgduHgBJdyLWP GMOXRgtDuOYRa1aX6+R5gudxfV5k+P9FIZTWlW6vsEWL4dolGxsqoi6s3McOHKDh3l9BABYB0oK1y HIW4vOeY0mJtxBPe/6C5uk4s0b+IPkLi1TzPdyFIkRXOydjTjNuSLtJmJU539haQuQhL1DRyuTYLu XH5XvfcVEDrO0TIoO/3DdcR2FeMfqox+xlDeX89qjcWIVUPy9YPSbDXZ+y8lef8b0MQPRHUxe9jAY kbc4NaMg==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wQ4So-003wxG-2m; Thu, 21 May 2026 14:33:31 +0000 From: Breno Leitao Date: Thu, 21 May 2026 07:32:09 -0700 Subject: [PATCH net v2 1/2] nfc: llcp: avoid userspace overflow on invalid optlen Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260521-fix_llc-v2-1-ab44cc09179c@debian.org> References: <20260521-fix_llc-v2-0-ab44cc09179c@debian.org> In-Reply-To: <20260521-fix_llc-v2-0-ab44cc09179c@debian.org> To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , David Heidelberg , Samuel Ortiz Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, oe-linux-nfc@lists.linux.dev, Breno Leitao , kernel-team@meta.com X-Mailer: b4 0.16-dev-d5d98 X-Developer-Signature: v=1; a=openpgp-sha256; l=1331; i=leitao@debian.org; h=from:subject:message-id; bh=zLImAfFYBeTQ4EkEKo30JAeP4QYaGpHkek8WKQtNjGM=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBqDxexdCh+05G4yTTneRwG4r2/bnJsILLri6XjN 5ZvzTiyMtKJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCag8XsQAKCRA1o5Of/Hh3 bYGPD/9JGuBni69qo3Ovtil2E3F2/ZTxtTp0kpAdst8qd++o81PidehfO2XJ12ekkSWuL0tax73 /9/0Mqg/U2nvq1O3OTSpdr8o1CiOIpfYSgRRcWUvygzPyzFPdyV1igKUGfY3LWTmP7b32pGwonQ FC+5tXce+ghC7txKPuW5ULR/ftf3EZySIw8jTFC+BYJ55Q7dGpqP8YetpDBZyirE9vHcKDZgyPB JHvxPqFCI8AG/4Hy+cVD2XkBY5bSIbqBDul2rlh318Ve4PVSbHvZE6QIMjqrBSFm0vUyfnFEriF k6ws7/h1p6U92KLuq2Z5a6gL4r+TB0cGOUjh+y2tX3SLB/DSG9WwVosuAk2yh3ujENLDxFuoaj3 5bSqtS+bGLJ8Bi2GFVKdQzwumoKMOHTAe0hNXdheCF+lgOkZRhbVNM80M823puCXOBtsyQU0H+C L3xA+g8uiph0HyJyN2kJSbB8b0OmuXufNyW0JwLO/rx+TX12umGPs09SyNAQk2mnBxG7fo4i272 jZGYmZDTWvHzvJfQNn0dlLQ1FghggxkTaDtUJBbYcxp21OWRPpcsBFfUqzyW1FD7P/QsbDYbVhf qsPomsX6OQ3C+VnLEYsMD5UqZ28wuZ4Iu0fUEuZH8/YWp6RJpGJNvHcKzTjc+K40mL2WNUb/wSN ++IF7vIQ1lTe+mA== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao nfc_llcp_getsockopt() casts optval to (u32 __user *) for put_user(), so the kernel always stores 4 bytes regardless of the caller-supplied optlen. The existing min_t(u32, len, sizeof(u32)) only clamps the length reported back to userspace; it does not constrain the store. A call with optlen < 4 therefore writes past the user buffer, violating the getsockopt(2) contract for all five supported optnames. Reject any call with optlen < sizeof(u32) up front. 'len' is int, so a plain size comparison would promote a negative optlen to size_t and slip past the check; an explicit 'len < 0' test is added first to catch negative values before the size compare. Fixes: 26fd76cab2e6 ("NFC: llcp: Implement socket options") Signed-off-by: Breno Leitao --- net/nfc/llcp_sock.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index f1be1e84f6653..aa9a78a671521 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -319,6 +319,12 @@ static int nfc_llcp_getsockopt(struct socket *sock, in= t level, int optname, if (get_user(len, optlen)) return -EFAULT; =20 + if (len < 0) + return -EINVAL; + + if (len < sizeof(u32)) + return -EINVAL; + local =3D llcp_sock->local; if (!local) return -ENODEV; --=20 2.53.0-Meta From nobody Sun May 24 20:35:29 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B7423DA5BD; Thu, 21 May 2026 14:33:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779374028; cv=none; b=DeIkU3Aiio/I5OB4uLpfwBLARGxdyGXHWshieGDUQ0JcEyGIzOoR3hv5LiCgSWt6hhMUmCMsyiqwdzlv/wA5xK3PmqSdFhkQAQYZvtzZVJstng80dGUT9pgwheEw1n1sDgcnAQhUMCNKb4Ah0zd193mOC9V246YuPqZZAfeNkYk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779374028; c=relaxed/simple; bh=vUVzwioy7eyITUTnDSAg54tCJT7WpcF3kD1sfAlb9Xg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=sSES84gI3HzIm5L70/WYPp100UuV/gHZ2am2b82VrEviRQ6eqPn5DFgkZ2WJ2osWBV1MvXneNXyIbCAuFsEBL7Z8ddxeUy44C5x++Ly5O9hFQmB/CdYiaFz7GGupLXniI2xqgPbfZJqCvcJXxL95lDA17Jm9bMzU8xOFt/cL2zQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=a0dVKJ+m; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="a0dVKJ+m" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=1CytHvX5Z9CQODF2r8Uldp/4soH5aVdVyJhj02K+WN4=; b=a0dVKJ+mpjGCdpOj1QsIJMvtlR xVM9K3vUwb5P3qDxarN0I7G1jum0faoZGGaOY3UiPAxwmYKQY0bh33eot2lKD0GVZQxZU5g9X48B2 Z4aqiiLpwUlN8JcZ7w8fwL26VDi8VAyBtxovhpSm6p2JNVAXBW9QPh/gt9oHeIDm9piBuggky7N0R YycSBecv44DYTYFIh/Am1W4xHuMHi5yDKCWNXoIN1AlAXSDJ/khlpIzEKaidFi9hguHZwAb06OFc5 oW8fXCVhhLUG7qh7P3JzQk5uu7It/zHLzso2gQwmlWrRvZqr4zt7FfhhdDi/r5eEUxcey21Yu2g/j NEGoNmvw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1wQ4St-003wxJ-0A; Thu, 21 May 2026 14:33:35 +0000 From: Breno Leitao Date: Thu, 21 May 2026 07:32:10 -0700 Subject: [PATCH net v2 2/2] nfc: llcp: read llcp_sock->local under the socket lock in getsockopt Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260521-fix_llc-v2-2-ab44cc09179c@debian.org> References: <20260521-fix_llc-v2-0-ab44cc09179c@debian.org> In-Reply-To: <20260521-fix_llc-v2-0-ab44cc09179c@debian.org> To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , David Heidelberg , Samuel Ortiz Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, oe-linux-nfc@lists.linux.dev, Breno Leitao , kernel-team@meta.com X-Mailer: b4 0.16-dev-d5d98 X-Developer-Signature: v=1; a=openpgp-sha256; l=1449; i=leitao@debian.org; h=from:subject:message-id; bh=vUVzwioy7eyITUTnDSAg54tCJT7WpcF3kD1sfAlb9Xg=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBqDxexoLN0vvPGMg5rRL9uOhEDGMg02w+1OAMR1 fP9m9G+cn2JAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCag8XsQAKCRA1o5Of/Hh3 bQq9D/99Rok2FqAlu/B4u7G+xFig/lgnWR56U7HkFxyB/MHLiES5loMrtFTAEnMjR4Fj+bp99Kf 7DdRLBZGTc+4Ag1d/1dADQxkap0Vi1S/fO2/O7HFCNJp6TS/7BjGZ0LfzAiOYaEiCozseK31SKo weejKQabDWL9LNKVxlE6ADyFPeN3aV19Rb8kRqOcDFcspjTRq/hqgWB9JEhav7q12fjyQ4kRdF5 wrPUtycEyPpgodrPHvLpPRNwYuemo+IUfiEqXxHpcl/g2V+NkHCVlKCHQiXPq3AJCXi1dnKYLrl +ZYxvscmKoxzvOLmntpdleQCPmGdfhcRdgu0uIBfxMtQ5g+CeKpa7HKu5UcmytqwfUqTBFj8m5C rIFY4x7kvt5s2Hdt7Jciw/kFDUqTF3GYAnoasuSyG3fK4IYBxn+lc1Yqe7lbfptnPMHjKhohubq XCM8jmX5Bb3tAPbeOxOOTtrnHiawEBY4emqiteF7qEWrUT6+lacR5P13wZtHy3ZSPk5EDmEqEvA vQuFM0CS8vmDDZo2UlehJg5kAEOoicsSVeR1DeB4H1wbvZ7vhOtzMlD/HnorYGC03Uc3UQOFnb+ 0cV9UrbR11QbjafVVMEJf7JxzeGf11pkw2gTpv5itKL/yyulcPsY4AVV4LrJqAZ0Czhp+CO4F29 H5y9RgDpcRQ/V2A== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao nfc_llcp_getsockopt() read llcp_sock->local before lock_sock(sk) and then dereferenced the cached pointer inside the locked region. llcp_sock_bind() assigns and clears llcp_sock->local under the same socket lock, dropping the last reference on its error path. A getsockopt() racing an in-flight bind() can observe the pointer, block on lock_sock(), and then dereference a freed nfc_llcp_local once bind() has unwound. Move the llcp_sock->local read and the NULL check inside the lock_sock(sk) region so bind() cannot mutate or free the pointer between the load and the use. Fixes: 26fd76cab2e6 ("NFC: llcp: Implement socket options") Signed-off-by: Breno Leitao --- net/nfc/llcp_sock.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index aa9a78a671521..266590d402664 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -325,14 +325,16 @@ static int nfc_llcp_getsockopt(struct socket *sock, i= nt level, int optname, if (len < sizeof(u32)) return -EINVAL; =20 - local =3D llcp_sock->local; - if (!local) - return -ENODEV; - len =3D min_t(u32, len, sizeof(u32)); =20 lock_sock(sk); =20 + local =3D llcp_sock->local; + if (!local) { + release_sock(sk); + return -ENODEV; + } + switch (optname) { case NFC_LLCP_RW: rw =3D llcp_sock->rw > LLCP_MAX_RW ? local->rw : llcp_sock->rw; --=20 2.53.0-Meta