This from static analysis inspired by CVE-2021-26708 where there was a
race condition because it didn't lock_sock(sk) before saving
"vsk->transport". Here it is saving "llcp_sock->local" but the concept
is the same that it needs to take the lock first.
Fixes: 00e856db49bb ("NFC: llcp: Fall back to local values when getting socket options")
Fixes: d646960f7986 ("NFC: Initial LLCP support")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
net/nfc/llcp_sock.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c
index 6cfd30fc0798..74f4209c7144 100644
--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -314,14 +314,16 @@ static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname,
if (get_user(len, optlen))
return -EFAULT;
- local = llcp_sock->local;
- if (!local)
- return -ENODEV;
-
len = min_t(u32, len, sizeof(u32));
lock_sock(sk);
+ local = llcp_sock->local;
+ if (!local) {
+ release_sock(sk);
+ return -ENODEV;
+ }
+
switch (optname) {
case NFC_LLCP_RW:
rw = llcp_sock->rw > LLCP_MAX_RW ? local->rw : llcp_sock->rw;
@@ -598,14 +600,15 @@ static int llcp_sock_release(struct socket *sock)
pr_debug("%p\n", sk);
+ lock_sock(sk);
+
local = llcp_sock->local;
if (local == NULL) {
+ release_sock(sk);
err = -ENODEV;
goto out;
}
- lock_sock(sk);
-
/* Send a DISC */
if (sk->sk_state == LLCP_CONNECTED)
nfc_llcp_send_disconnect(llcp_sock);
--
2.20.1
