CVE-2026-23150

In the Linux kernel, the following vulnerability has been resolved:

nfc: llcp: Fix memleak in nfcllcpsenduiframe().

syzbot reported various memory leaks related to NFC, struct nfcllcpsock, skbuff, nfcdev, etc. [0]

The leading log hinted that nfcllcpsenduiframe() failed to allocate skb due to sock_error(sk) being -ENXIO.

ENXIO is set by nfcllcpsocketrelease() when struct nfcllcplocal is destroyed by localcleanup().

The problem is that there is no synchronisation between nfcllcpsenduiframe() and localcleanup(), and skb could be put into local->txqueue after it was purged in local_cleanup():

CPU1 CPU2 ---- ---- nfcllcpsenduiframe() localcleanup() |- do { ' |- pdu = nfcallocsendskb(..., &err) | . | |- nfcllcpsocketrelease(local, false, ENXIO); | |- skbqueuepurge(&local->txqueue); | | ' | |- skbqueuetail(&local->txqueue, pdu); | ... | |- pdu = nfcallocsendskb(..., &err) | ^._________________________________.'

localcleanup() is called for struct nfcllcplocal only after nfcllcpremovelocal() unlinks it from llcp_devices.

If we hold local->txqueue.lock then, we can synchronise the thread and nfcllcpsendui_frame().

Let's do that and check listempty(&local->list) before queuing skb to local->txqueue in nfcllcpsenduiframe().

[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak) BUG: memory leak unreferenced object 0xffff8881272f6800 (size 1024): comm "syz.0.17", pid 6096, jiffies 4294942766 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............ backtrace (crc da58d84d): kmemleakallocrecursive include/linux/kmemleak.h:44 [inline] slabpostallochook mm/slub.c:4979 [inline] slaballoc_node mm/slub.c:5284 [inline] __dokmallocnode mm/slub.c:5645 [inline] __kmallocnoprof+0x3e3/0x6b0 mm/slub.c:5658 kmallocnoprof include/linux/slab.h:961 [inline] skprotalloc+0x11a/0x1b0 net/core/sock.c:2239 sk_alloc+0x36/0x360 net/core/sock.c:2295 nfcllcpsockalloc+0x37/0x130 net/nfc/llcpsock.c:979 llcpsockcreate+0x71/0xd0 net/nfc/llcpsock.c:1044 nfcsockcreate+0xc9/0xf0 net/nfc/afnfc.c:31 __sockcreate+0x1a9/0x340 net/socket.c:1605 sockcreate net/socket.c:1663 [inline] __syssocketcreate net/socket.c:1700 [inline] __sys_socket+0xb9/0x1a0 net/socket.c:1747 __dosyssocket net/socket.c:1761 [inline] __sesyssocket net/socket.c:1759 [inline] __x64syssocket+0x1b/0x30 net/socket.c:1759 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xa4/0xfa0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f

BUG: memory leak unreferenced object 0xffff88810fbd9800 (size 240): comm "syz.0.17", pid 6096, jiffies 4294942850 hex dump (first 32 bytes): 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h....... 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'.... backtrace (crc 6cc652b1): kmemleakallocrecursive include/linux/kmemleak.h:44 [inline] slabpostallochook mm/slub.c:4979 [inline] slaballocnode mm/slub.c:5284 [inline] kmemcacheallocnode_noprof+0x36f/0x5e0 mm/slub.c:5336 _allocskb+0x203/0x240 net/core/skbuff.c:660 allocskb include/linux/skbuff.h:1383 [inline] allocskbwithfrags+0x69/0x3f0 net/core/sk ---truncated---