From: Hillf Danton <hdanton@sina.com>
To: Deepanshu Kartikey <kartikey406@gmail.com>
Cc: edumazet@google.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
syzbot+f50072212ab792c86925@syzkaller.appspotmail.com
Subject: Re: [PATCH v2] atm: lec: fix use-after-free in sock_def_readable()
Date: Sat, 14 Mar 2026 10:53:50 +0800 [thread overview]
Message-ID: <20260314025418.958-1-hdanton@sina.com> (raw)
In-Reply-To: <CADhLXY7LcCFzJEcxoVG44AvpcV3x-o36xOxTdQhktihDVeXyAg@mail.gmail.com>
On Thu, 12 Mar 2026 06:33:53 +0530 Deepanshu Kartikey wrote:
> On Tue, Mar 10, 2026 at 8:48 AM Hillf Danton <hdanton@sina.com> wrote:
> >
> > At this point priv->lecd is no longer used, so why not make lecd valid
> > throughout the lifespan of priv and free it after stopping dev queue,
> > instead of the tedious rcu trick?
> >
>
> Thank you for the suggestion.
>
> I investigated this approach. While netif_stop_queue() stops
> the TX path and cancel_delayed_work_sync() in lec_arp_destroy()
> stops lec_arp_work, the bug is actually triggered from
> mld_ifc_work (IPv6 multicast workqueue) which calls:
>
> mld_ifc_work -> mld_sendpack -> ip6_output
> -> lec_start_xmit -> lec_arp_resolve -> send_to_lecd
>
> This workqueue belongs to the IPv6 multicast subsystem and
> is completely outside ATM/LEC control. Neither
> netif_stop_queue() nor lec_arp_destroy() can stop it, so
> simply reordering the calls in lec_atm_close() would not
> fix the race.
>
> The RCU approach with synchronize_rcu() ensures ALL callers
> including mld_ifc_work have finished before priv->lecd is
> cleared.
>
After another look the uaf [1] is due to the race
vcc_release() mld_sendpack()
--- ---
ip6_output()
__dev_queue_xmit()
rcu_read_lock_bh(); // rcu section
__dev_xmit_skb()
netdev_start_xmit()
lec_start_xmit()
if (!priv->lecd) { // check lecd
kfree_skb(skb);
return NETDEV_TX_OK;
}
vcc_destroy_socket()
vcc->dev->ops->close(vcc);
lec_atm_close()
priv->lecd = NULL; // clear lecd
netif_stop_queue(dev);
sock_put() // free sock
lec_arp_resolve()
send_to_lecd()
sock_def_readable() // uaf
and syncing rcu after clearing lecd is the correct fix because lecd is checked
with rcu lock held.
[1] Subject: [syzbot] [net?] KASAN: slab-use-after-free Read in sock_def_readable (2)
https://lore.kernel.org/all/69ad7ccb.a00a0220.b130.0003.GAE@google.com/
next prev parent reply other threads:[~2026-03-14 2:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 15:59 [PATCH v2] atm: lec: fix use-after-free in sock_def_readable() Deepanshu Kartikey
2026-03-10 3:18 ` Hillf Danton
2026-03-12 1:03 ` Deepanshu Kartikey
2026-03-14 2:53 ` Hillf Danton [this message]
2026-03-14 12:00 ` Deepanshu Kartikey
2026-03-14 12:10 ` Eric Dumazet
2026-03-14 15:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260314025418.958-1-hdanton@sina.com \
--to=hdanton@sina.com \
--cc=edumazet@google.com \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+f50072212ab792c86925@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.