[PATCH] atm: fix skb leak in sigd_send() on a closing listen socket

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] atm: fix skb leak in sigd_send() on a closing listen socket
@ 2026-06-11 16:38 Weiming Shi
  2026-06-12 23:12 ` Jakub Kicinski
  0 siblings, 1 reply; 2+ messages in thread
From: Weiming Shi @ 2026-06-11 16:38 UTC (permalink / raw)
  To: David S . Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni
  Cc: Simon Horman, netdev, linux-kernel, Xiang Mei, Weiming Shi

In the as_indicate path, sigd_send() pins the listening socket with
find_get_vcc() and queues the skb on its receive queue under lock_sock().
It does not check whether the socket is being torn down. If the listener
is closed concurrently, vcc_destroy_socket() purges the receive queue
once under lock_sock() and removes the socket from vcc_hash; the final
free goes __sk_destruct() -> vcc_sock_destruct(), which does not purge.
A skb queued after that purge is therefore leaked.

Recheck ATM_VF_CLOSE under lock_sock() before queuing and drop the skb if
the socket is closing. ATM_VF_CLOSE is set by vcc_destroy_socket() under
the same lock, so the check is serialised against the purge.

Reaching this requires an attached signalling daemon (CAP_NET_ADMIN and
CAP_SYS_RAWIO), as only the daemon emits as_indicate.

Fixes: ae88a5d2f29b ("net: atm: fix crash due to unvalidated vcc pointer in sigd_send()")
Tested-by: Xiang Mei <xmei5@asu.edu>
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Link: https://lore.kernel.org/all/aigrk5B3VzaWgKIF@Air.local/
---
 net/atm/signaling.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/atm/signaling.c b/net/atm/signaling.c
index 358fbe5e4d1d0..cb80b5a9d8452 100644
--- a/net/atm/signaling.c
+++ b/net/atm/signaling.c
@@ -150,6 +150,11 @@ static int sigd_send(struct atm_vcc *vcc, struct sk_buff *skb)
 		sk = sk_atm(vcc);
 		pr_debug("as_indicate!!!\n");
 		lock_sock(sk);
+		/* Don't queue onto a closing listener; the skb would leak. */
+		if (test_bit(ATM_VF_CLOSE, &vcc->flags)) {
+			dev_kfree_skb(skb);
+			goto as_indicate_complete;
+		}
 		if (sk_acceptq_is_full(sk)) {
 			sigd_enq(NULL, as_reject, vcc, NULL, NULL);
 			dev_kfree_skb(skb);
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] atm: fix skb leak in sigd_send() on a closing listen socket
  2026-06-11 16:38 [PATCH] atm: fix skb leak in sigd_send() on a closing listen socket Weiming Shi
@ 2026-06-12 23:12 ` Jakub Kicinski
  0 siblings, 0 replies; 2+ messages in thread
From: Jakub Kicinski @ 2026-06-12 23:12 UTC (permalink / raw)
  To: Weiming Shi
  Cc: David S . Miller, Eric Dumazet, Paolo Abeni, Simon Horman, netdev,
	linux-kernel, Xiang Mei

On Fri, 12 Jun 2026 00:38:06 +0800 Weiming Shi wrote:
> In the as_indicate path, sigd_send() pins the listening socket with
> find_get_vcc() and queues the skb on its receive queue under lock_sock().
> It does not check whether the socket is being torn down. If the listener
> is closed concurrently, vcc_destroy_socket() purges the receive queue
> once under lock_sock() and removes the socket from vcc_hash; the final
> free goes __sk_destruct() -> vcc_sock_destruct(), which does not purge.
> A skb queued after that purge is therefore leaked.

same story here, nobody uses this, I'll delete it instead

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-12 23:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-11 16:38 [PATCH] atm: fix skb leak in sigd_send() on a closing listen socket Weiming Shi
2026-06-12 23:12 ` Jakub Kicinski

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.