Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2051360pxb; Mon, 12 Apr 2021 13:02:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJbHbtejFmiQCYLB7hMJxFjdR7OMWvtSpma4TdYVRlzlYsQBdxR6dqTb1BKcH2jGXZwhRp X-Received: by 2002:a17:902:8604:b029:e6:60ad:6921 with SMTP id f4-20020a1709028604b02900e660ad6921mr28712021plo.15.1618257763163; Mon, 12 Apr 2021 13:02:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618257763; cv=none; d=google.com; s=arc-20160816; b=PxwHYRyAoXsBnlS9YcAt38L3fQwHJrYSB2st1LUncVI+QDwwynLcSbdYlhZaTAmb9Z G8t6EiZuvDjoysioZ+eZClklPqCPnBLW8xdHsC0YZ2Vz2KE2LnpmS2tJ89Uglth5hj9p 9tVQNGNrbCht1ja74oenOtqcKs0PPUZPQupg9Wr58we2evYnimelphLH/40fTkvERSpj yGZ8uERqpEvwuuyVgYRDXpW/+UB/CWELE+szS4CC2FSPntoBOKVe8f6Hzjkly0b6WRWe Fd0oU6Lrweht14OGA+e1BcUjTfqFedtr4SU8m+G7F4+NF6+P5g3snOYPvHKUyFzZZBwP JiMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jPkLjr3cy9hWRZfg1XKYuVPf14fs3UbhsQra/hLw6to=; b=Ir1fBbYTnMOpm1GWQ0HsTjKhbky6sM4r0o1Wzote2Q4DmufD5NeOKh1kVHjXcFWc4z gzdFuOPc3BwNQH9bXObUucAKAOpY8TdtfROz22N9bPgtne8sHf63A9uk36xXewYoJ1Bz +nE4+L8U3LWAKpHOWxWIp55fsYVVal2zvFwCEr9nC4F2ES4/+CKzoj9eeuTKUFScfNJF aSJd+v3F/SS47J6iY9nwL2LuRTUMX5aXpPhei/cAHRdcc5WyvVvs+m21LNd3KZw75/h+ ArM4XPrSTp9veZJJ1cvaUYEEgFLtWy1dFCkZLJs/ywY0JXM+QjDkJYQrD8NffIGhmVW6 uhmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zFy2eriz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x72si15093855pfc.310.2021.04.12.13.02.30; Mon, 12 Apr 2021 13:02:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zFy2eriz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237595AbhDLIoE (ORCPT + 99 others); Mon, 12 Apr 2021 04:44:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:35158 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237543AbhDLInm (ORCPT ); Mon, 12 Apr 2021 04:43:42 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D40486109E; Mon, 12 Apr 2021 08:43:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1618217001; bh=xhkDpRFRfP5r+hTYDvg5s+DyIrSAUNmXl65UQahiBLU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zFy2eriz6BNeuz5BQX5Qv8ZecBdMTTzqNy66qCzHvzZtrViEltlOqvb7Hb+j/1dLN vgL1vRpBBGp/zoYhyBqSA0CINA8+i3LbGV+W3i2X6CJ2tOt/5VTnM+hLDhpI8T1Hlr Lee5AJyQKwkHCCsC7K2swYd4niieNESDILay3dX0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?kiyin ?= , Xiaoming Ni , "David S. Miller" Subject: [PATCH 4.19 06/66] nfc: Avoid endless loops caused by repeated llcp_sock_connect() Date: Mon, 12 Apr 2021 10:40:12 +0200 Message-Id: <20210412083958.340866531@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210412083958.129944265@linuxfoundation.org> References: <20210412083958.129944265@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiaoming Ni commit 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 upstream. When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. sk->sk_node->next will point to itself, that will make an endless loop and hang-up the system. To fix it, check whether sk->sk_state is LLCP_CONNECTING in llcp_sock_connect() to avoid repeated invoking. Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") Reported-by: "kiyin(尹亮)" Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Cc: #v3.11 Signed-off-by: Xiaoming Ni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/nfc/llcp_sock.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -685,6 +685,10 @@ static int llcp_sock_connect(struct sock ret = -EISCONN; goto error; } + if (sk->sk_state == LLCP_CONNECTING) { + ret = -EINPROGRESS; + goto error; + } dev = nfc_get_device(addr->dev_idx); if (dev == NULL) {