From: syzbot <syzbot+e1d2b89a60c8bb9a7f33@syzkaller.appspotmail.com>
To: s9430939@naver.com
Cc: s9430939@naver.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] KASAN: null-ptr-deref Write in send_to_lecd
Date: Sun, 19 Apr 2026 09:07:50 -0700 [thread overview]
Message-ID: <69e4fdd6.a00a0220.1bd0ca.005a.GAE@google.com> (raw)
In-Reply-To: <aeT90iYRUqJgbOTO@JMW-Ubuntu>
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 014441d1e4b2
This crash does not have a reproducer. I cannot test it.
>
> net: atm: lec: fix null-ptr-deref in send_to_lecd
>
> A null pointer dereference occurs in send_to_lecd() when accessing
> priv->lecd. Although priv->lecd is checked at the function's entry,
> it can be cleared by lec_atm_close() before it is actually used.
>
> Use READ_ONCE() to load priv->lecd into a local variable and check
> it before use.
>
> Reported-by: syzbot+e1d2b89a60c8bb9a7f33@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=e1d2b89a60c8bb9a7f33
> Signed-off-by: Minu Jin <s9430939@naver.com>
>
> ---
> net/atm/lec.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/net/atm/lec.c b/net/atm/lec.c
> index fb93c6e1c329..34f4c32acadb 100644
> --- a/net/atm/lec.c
> +++ b/net/atm/lec.c
> @@ -512,10 +512,16 @@ send_to_lecd(struct lec_priv *priv, atmlec_msg_type type,
> {
> struct sock *sk;
> struct sk_buff *skb;
> + struct atm_vcc *lecd;
> struct atmlec_msg *mesg;
>
> - if (!priv || !priv->lecd)
> + if (!priv)
> return -1;
> +
> + lecd = READ_ONCE(priv->lecd);
> + if (!lecd)
> + return -1;
> +
> skb = alloc_skb(sizeof(struct atmlec_msg), GFP_ATOMIC);
> if (!skb)
> return -1;
> @@ -532,14 +538,14 @@ send_to_lecd(struct lec_priv *priv, atmlec_msg_type type,
> if (atm_addr)
> memcpy(&mesg->content.normal.atm_addr, atm_addr, ATM_ESA_LEN);
>
> - atm_force_charge(priv->lecd, skb->truesize);
> - sk = sk_atm(priv->lecd);
> + atm_force_charge(lecd, skb->truesize);
> + sk = sk_atm(lecd);
> skb_queue_tail(&sk->sk_receive_queue, skb);
> sk->sk_data_ready(sk);
>
> if (data != NULL) {
> pr_debug("about to send %d bytes of data\n", data->len);
> - atm_force_charge(priv->lecd, data->truesize);
> + atm_force_charge(lecd, data->truesize);
> skb_queue_tail(&sk->sk_receive_queue, data);
> sk->sk_data_ready(sk);
> }
> --
> 2.43.0
next parent reply other threads:[~2026-04-19 16:07 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <aeT90iYRUqJgbOTO@JMW-Ubuntu>
2026-04-19 16:07 ` syzbot [this message]
2026-03-09 12:13 [syzbot] [net?] KASAN: null-ptr-deref Write in send_to_lecd syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e4fdd6.a00a0220.1bd0ca.005a.GAE@google.com \
--to=syzbot+e1d2b89a60c8bb9a7f33@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=s9430939@naver.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.