nfc/nci: fix race with opening and closing

f0rm2l1n · davem330 · commit 0ad6bded175e · 2022-11-18T12:37:11.000Z
Previously we leverage NCI_UNREG and the lock inside nci_close_device to prevent the race condition between opening a device and closing a device. However, it still has problem because a failed opening command will erase the NCI_UNREG flag and allow another opening command to bypass the status checking. This fix corrects that by making sure the NCI_UNREG is held. Reported-by: syzbot+43475bf3cfbd6e41f5b7@syzkaller.appspotmail.com Fixes: 48b71a9 ("NFC: add NCI_UNREG flag to eliminate the race") Signed-off-by: Lin Ma <linma@zju.edu.cn> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
@@ -542,7 +542,7 @@ static int nci_open_device(struct nci_dev *ndev)
 		skb_queue_purge(&ndev->tx_q);
 
 		ndev->ops->close(ndev);
-		ndev->flags = 0;
+		ndev->flags &= BIT(NCI_UNREG);
 	}
 
 done:

Original file line number	Diff line number	Diff line change
`@@ -542,7 +542,7 @@ static int nci_open_device(struct nci_dev *ndev)`
`542`	`542`	`skb_queue_purge(&ndev->tx_q);`
`543`	`543`
`544`	`544`	`ndev->ops->close(ndev);`
`545`		`- ndev->flags = 0;`
	`545`	`+ ndev->flags &= BIT(NCI_UNREG);`
`546`	`546`	`}`
`547`	`547`
`548`	`548`	`done:`