[PATCH net] nfc: clear active_target when the target list is replaced

0 views
Skip to first unread message

Yinhao Hu

unread,
Jun 27, 2026, 11:32:17 AM (4 days ago) Jun 27
to net...@vger.kernel.org, da...@ixit.cz, da...@davemloft.net, edum...@google.com, ku...@kernel.org, pab...@redhat.com, ho...@kernel.org, dz...@hust.edu.cn, hust-os-ker...@googlegroups.com, Yinhao Hu
nfc_activate_target() and nfc_dep_link_up() cache dev->active_target as a
raw pointer into the dev->targets array. When a later poll reports new
targets, nfc_targets_found() frees and replaces dev->targets but does not
clear dev->active_target, so the cached pointer is left dangling into
freed memory. Any subsequent NFC core path that dereferences
dev->active_target->idx then reads the freed memory, e.g.
nfc_deactivate_target(), nfc_data_exchange().

When nfc_targets_found() is about to free the current target array, clear
dev->active_target if it points into that array, and tear down the
associated active state (stop the presence-check timer, drop the DEP link
and reset the RF mode) as nfc_deactivate_target() does.

Fixes: 900994332675 ("NFC: Cache the core NFC active target pointer instead of its index")
Signed-off-by: Yinhao Hu <ddd...@hust.edu.cn>
---
net/nfc/core.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)

diff --git a/net/nfc/core.c b/net/nfc/core.c
index a92a6566e6a0..950807906645 100644
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -786,6 +786,21 @@ int nfc_targets_found(struct nfc_dev *dev,

dev->targets_generation++;

+ if (dev->active_target && dev->targets) {
+ for (i = 0; i < dev->n_targets; i++) {
+ if (dev->active_target != &dev->targets[i])
+ continue;
+
+ if (dev->ops->check_presence)
+ timer_delete_sync(&dev->check_pres_timer);
+
+ dev->active_target = NULL;
+ dev->dep_link_up = false;
+ dev->rf_mode = NFC_RF_NONE;
+ break;
+ }
+ }
+
kfree(dev->targets);
dev->targets = NULL;

--
2.43.0

Reply all
Reply to author
Forward
0 new messages