2 files changed, 59 insertions, 18 deletions
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c
index 7f8266dd14cb..ee25f25f0cd6 100644
--- a/net/nfc/llcp/llcp.c
+++ b/net/nfc/llcp/llcp.c
@@ -68,7 +68,8 @@ static void nfc_llcp_socket_purge(struct nfc_llcp_sock *sock)
        }
 }
-static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen)
+static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen,
+                                    int err)
 {
        struct sock *sk;
        struct hlist_node *tmp;
@@ -100,11 +101,12 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen)
                                nfc_llcp_accept_unlink(accept_sk);
+                                if (err)
+                                        accept_sk->sk_err = err;
                                accept_sk->sk_state = LLCP_CLOSED;
+                                accept_sk->sk_state_change(sk);
                                bh_unlock_sock(accept_sk);
-                                sock_orphan(accept_sk);
                        }
                        if (listen == true) {
@@ -123,16 +125,45 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool listen)
                        continue;
                }
+                if (err)
+                        sk->sk_err = err;
                sk->sk_state = LLCP_CLOSED;
+                sk->sk_state_change(sk);
                bh_unlock_sock(sk);
-                sock_orphan(sk);
                sk_del_node_init(sk);
        }
        write_unlock(&local->sockets.lock);
+        /*
+         * If we want to keep the listening sockets alive,
+         * we don't touch the RAW ones.
+         */
+        if (listen == true)
+                return;
+        write_lock(&local->raw_sockets.lock);
+        sk_for_each_safe(sk, tmp, &local->raw_sockets.head) {
+                llcp_sock = nfc_llcp_sock(sk);
+                bh_lock_sock(sk);
+                nfc_llcp_socket_purge(llcp_sock);
+                if (err)
+                        sk->sk_err = err;
+                sk->sk_state = LLCP_CLOSED;
+                sk->sk_state_change(sk);
+                bh_unlock_sock(sk);
+                sk_del_node_init(sk);
+        }
+        write_unlock(&local->raw_sockets.lock);
 }
 struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
@@ -142,20 +173,25 @@ struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local)
        return local;
 }
-static void local_release(struct kref *ref)
+static void local_cleanup(struct nfc_llcp_local *local, bool listen)
 {
-        struct nfc_llcp_local *local;
+        nfc_llcp_socket_release(local, listen, ENXIO);
-        local = container_of(ref, struct nfc_llcp_local, ref);
-        list_del(&local->list);
-        nfc_llcp_socket_release(local, false);
        del_timer_sync(&local->link_timer);
        skb_queue_purge(&local->tx_queue);
        cancel_work_sync(&local->tx_work);
        cancel_work_sync(&local->rx_work);
        cancel_work_sync(&local->timeout_work);
        kfree_skb(local->rx_pending);
+}
+static void local_release(struct kref *ref)
+{
+        struct nfc_llcp_local *local;
+        local = container_of(ref, struct nfc_llcp_local, ref);
+        list_del(&local->list);
+        local_cleanup(local, false);
        kfree(local);
 }
@@ -785,7 +821,6 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local,
                skb_get(skb);
        } else {
                pr_err("Receive queue is full\n");
-                kfree_skb(skb);
        }
        nfc_llcp_sock_put(llcp_sock);
@@ -986,7 +1021,6 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
                        skb_get(skb);
                } else {
                        pr_err("Receive queue is full\n");
-                        kfree_skb(skb);
                }
        }
@@ -1348,7 +1382,7 @@ void nfc_llcp_mac_is_down(struct nfc_dev *dev)
                return;
        /* Close and purge all existing sockets */
-        nfc_llcp_socket_release(local, true);
+        nfc_llcp_socket_release(local, true, 0);
 }
 void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx,
@@ -1427,6 +1461,8 @@ void nfc_llcp_unregister_device(struct nfc_dev *dev)
                return;
        }
+        local_cleanup(local, false);
        nfc_llcp_local_put(local);
 }
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index 5332751943a9..6c94447ec414 100644
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -270,7 +270,9 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *parent,
                }
                if (sk->sk_state == LLCP_CONNECTED || !newsock) {
-                        nfc_llcp_accept_unlink(sk);
+                        list_del_init(&lsk->accept_queue);
+                        sock_put(sk);
                        if (newsock)
                                sock_graft(sk, newsock);
@@ -278,6 +280,8 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *parent,
                        pr_debug("Returning sk state %d\n", sk->sk_state);
+                        sk_acceptq_removed(parent);
                        return sk;
                }
@@ -462,8 +466,6 @@ static int llcp_sock_release(struct socket *sock)
                        nfc_llcp_accept_unlink(accept_sk);
                        release_sock(accept_sk);
-                        sock_orphan(accept_sk);
                }
        }
@@ -644,6 +646,8 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
        pr_debug("%p %zu\n", sk, len);
+        msg->msg_namelen = 0;
        lock_sock(sk);
        if (sk->sk_state == LLCP_CLOSED &&
@@ -689,6 +693,7 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
                pr_debug("Datagram socket %d %d\n", ui_cb->dsap, ui_cb->ssap);
+                memset(sockaddr, 0, sizeof(*sockaddr));
                sockaddr->sa_family = AF_NFC;
                sockaddr->nfc_protocol = NFC_PROTO_NFC_DEP;
                sockaddr->dsap = ui_cb->dsap;