From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> mainline inclusion from mainline-v5.18-rc1 commit 13a3585b264bfeba018941a713b8d7fc9b8221a2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7NLJR CVE: CVE-2023-3863 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... --------------------------- Nullify the llcp_sock->dev on llcp_sock_connect() error paths, symmetrically to the code llcp_sock_bind(). The non-NULL value of llcp_sock->dev is used in a few places to check whether the socket is still valid. There was no particular issue observed with missing NULL assignment in connect() error path, however a similar case - in the bind() error path - was triggereable. That one was fixed in commit 4ac06a1e013c ("nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect"), so the change here seems logical as well. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> --- net/nfc/llcp_sock.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index 2162644a37e9..5c730830e9db 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -776,6 +776,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, llcp_sock->local = NULL; put_dev: + llcp_sock->dev = NULL; nfc_put_device(dev); error: -- 2.25.1