The nci_core_conn_close_rsp_packet() function will release the conn_info with given conn_id. However, this reference of this object may still held by other places like ndev->rf_conn_info in routine: .. -> nci_recv_frame() -> nci_rx_work() -> nci_rsp_packet() -> nci_rf_disc_rsp_packet() -> devm_kzalloc() ndev->rf_conn_info = conn_info; or ndev->hci_dev->conn_info in routine: .. -> nci_recv_frame() -> nci_rx_work() -> nci_rsp_packet() -> nci_core_conn_create_rsp_packet() -> devm_kzalloc() ndev->hci_dev->conn_info = conn_info; If these two places are not NULL out, potential UAF can be exploited by the attacker when emulating an UART NFC device. This patch compares the deallocating object with the two places and writes NULL to prevent that. Signed-off-by: Lin Ma --- net/nfc/nci/rsp.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/nfc/nci/rsp.c b/net/nfc/nci/rsp.c index a2e72c003805..99de76e5e855 100644 --- a/net/nfc/nci/rsp.c +++ b/net/nfc/nci/rsp.c @@ -334,6 +334,14 @@ static void nci_core_conn_close_rsp_packet(struct nci_dev *ndev, ndev->cur_conn_id); if (conn_info) { list_del(&conn_info->list); + /* Other places held conn_info like + * ndev->hci_dev->conn_info, ndev->rf_conn_info + * need to be NULL out. + */ + if (ndev->hci_dev->conn_info == conn_info) + ndev->hci_dev->conn_info = NULL; + if (ndev->rf_conn_info == conn_info) + ndev->rf_conn_info = NULL; devm_kfree(&ndev->nfc_dev->dev, conn_info); } } -- 2.33.0