Commit aa5a5b7a authored by David S. Miller's avatar David S. Miller

Merge branch 'nfc-fixes'

Xiaoming Ni says:

====================
nfc: fix Resource leakage and endless loop

fix Resource leakage and endless loop in net/nfc/llcp_sock.c,
 reported by "kiyin(尹亮)".

Link: https://www.openwall.com/lists/oss-security/2020/11/01/1
====================
math: Export mul_u64_u64_div_u64

Fixes: f51d7bf1 ("ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation")
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents d7513508 4b5db93e
...@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) ...@@ -108,11 +108,13 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
llcp_sock->service_name_len, llcp_sock->service_name_len,
GFP_KERNEL); GFP_KERNEL);
if (!llcp_sock->service_name) { if (!llcp_sock->service_name) {
nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM; ret = -ENOMEM;
goto put_dev; goto put_dev;
} }
llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
if (llcp_sock->ssap == LLCP_SAP_MAX) { if (llcp_sock->ssap == LLCP_SAP_MAX) {
nfc_llcp_local_put(llcp_sock->local);
kfree(llcp_sock->service_name); kfree(llcp_sock->service_name);
llcp_sock->service_name = NULL; llcp_sock->service_name = NULL;
ret = -EADDRINUSE; ret = -EADDRINUSE;
...@@ -671,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, ...@@ -671,6 +673,10 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
ret = -EISCONN; ret = -EISCONN;
goto error; goto error;
} }
if (sk->sk_state == LLCP_CONNECTING) {
ret = -EINPROGRESS;
goto error;
}
dev = nfc_get_device(addr->dev_idx); dev = nfc_get_device(addr->dev_idx);
if (dev == NULL) { if (dev == NULL) {
...@@ -702,6 +708,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, ...@@ -702,6 +708,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
llcp_sock->local = nfc_llcp_local_get(local); llcp_sock->local = nfc_llcp_local_get(local);
llcp_sock->ssap = nfc_llcp_get_local_ssap(local); llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
if (llcp_sock->ssap == LLCP_SAP_MAX) { if (llcp_sock->ssap == LLCP_SAP_MAX) {
nfc_llcp_local_put(llcp_sock->local);
ret = -ENOMEM; ret = -ENOMEM;
goto put_dev; goto put_dev;
} }
...@@ -743,9 +750,12 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, ...@@ -743,9 +750,12 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr,
sock_unlink: sock_unlink:
nfc_llcp_sock_unlink(&local->connecting_sockets, sk); nfc_llcp_sock_unlink(&local->connecting_sockets, sk);
kfree(llcp_sock->service_name);
llcp_sock->service_name = NULL;
sock_llcp_release: sock_llcp_release:
nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_put_ssap(local, llcp_sock->ssap);
nfc_llcp_local_put(llcp_sock->local);
put_dev: put_dev:
nfc_put_device(dev); nfc_put_device(dev);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment