From nobody Mon Jun 8 08:28:15 2026 Received: from mail-dy1-f182.google.com (mail-dy1-f182.google.com [74.125.82.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F293847F2EE for ; Thu, 4 Jun 2026 16:49:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780591794; cv=none; b=fuF/7GM4aw/S6GfGRuhosPi0xzFBgqalWXbT138U7mAFFWMMpkF5RmvIFP9YWAo0grpHBfwF/XzrnOKUih1SIWuRq7+vU/pFq14kZyFP51I+xJDaVb1Q9U2SO1dEAH1ybgqz7KcUp6xvOiWCdl7zuwO1UVIUa/RNREz7UuvHpjM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780591794; c=relaxed/simple; bh=8rZidRJc7KIbDb/hhTlBb8sIB4bj2J9nT1uZEO5jZi8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ZU13c7kj0AuFmmGXgBiyeNtp4IwWsnH/TCdVnWm+HZbnQgDMvddVWrG8rEhc9xt/eo8u2rPjnAIeH9tzxAQp7G5ci5sCymcmsBxUWp5ayQvU7gC0vpNMPp91ZATVFrQ80ECdNLYXEfX5x9ZrXk+JorDETxHZaiacsMt59NsqhOA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Cv3njvQN; arc=none smtp.client-ip=74.125.82.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Cv3njvQN" Received: by mail-dy1-f182.google.com with SMTP id 5a478bee46e88-3075ce9c05aso1654289eec.1 for ; Thu, 04 Jun 2026 09:49:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780591792; x=1781196592; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=q7LGlpmkBDdsMxU03nJ4arl9Id1e5bW5QofAE7pI1Zg=; b=Cv3njvQNvmOIpycyKLJVJQEZfduGkfAH5i7H2xsrsA1JvZ4A1Af14nVtYue/pQFulc O/pAoqIyYn6tXl7jjsONueW16KqTF1jcnvxJbOo2sxrxN8pxFCtGFngO/VE2trEwwNhP FDtgBf56MqTAt+sHm/Ed9vj+uRrOKclZuU54q+wZYo8ruu4YIm5eG/4fSM7wxdyqKzjS a/VGLcuK9I7c7zJAtSsUkMTu8R3OkhbuZG5vi36z0C/ym+Q26MSTfaoecpm/k2QbvJiz cakACjdBgeG36DiKUKYlq250+tn9X5CmaJDmj5WPmhpArsW39TxtgJ3sncoid2SOpPnV fymw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780591792; x=1781196592; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=q7LGlpmkBDdsMxU03nJ4arl9Id1e5bW5QofAE7pI1Zg=; b=b+eQ2TEzMI/jWzUcUk21+iJRSZoVdiP3hiYPff2YywhGnuKt3Uydd/pVC81MignrcA yTVr72r75l+nwCEFfCUIpabhSSKV9vAdGgIX9sJ7hUa+iQc8uvSTtRTqA2CsTGDMFQy8 aBa077K3CTgCbJHUp9QznTb+XFN1Dk+UC+B1yC2JTZb63cCLIZ8I7SCPt4G611Jhv9ym bQenbXZJjMufERkWhau1/SN2bdm70uLuG38JHmdk+/Y6Luo5K2MTXRCwUMH/STopX1el hBZPzffJe9Ji+G8ORwpjl9ou230JXh+pxMl3aptTD/xxL30V9qzD82zwGkALkUU1UGOJ ZESQ== X-Forwarded-Encrypted: i=1; AFNElJ8RxmiugruiURmYkutRJayFha2pugTirnZ3K6pk6MEhm0GdRe4/G64dlivCiBmM9Sl6Srl5RcvmW+ugbnw=@vger.kernel.org X-Gm-Message-State: AOJu0YzIWHqPs2MxkBt3Au9I+iGV5JPOjZL2cBbXhlvXWUwzT/xMwYNu DJObq9eG1uLhCL4/wqnhcg1QrQH8ZTMYHazuVWQD+S80nWMzkwERtPUv X-Gm-Gg: Acq92OGk7wqP1ONgLVyzNEoQzljr4xGtXFcn4z1Ua9QHuL5r3Na8X77rYTtO/g4SqgS kGpzotUjT9pnR6RjZk2DBvvNQ1Z4/Io9rlUoosfTcxINOS3OEYQleB2G5R51Uhy0SnTj9kXic+f a6NDVSb4MhhlJ5oprLEmO0apfUuIHcuarjIZAJC5DQvOj3dzdMll8Mx2EonOTavftJGMNL74mlD H+zKv9nmLEvs1piM0pwY2xqJUMnVI/HWPon+djTodWirJ1naaeLi4JHSd66HXZlT1aHJT9/rHcW WSmiOZo2JSln2lyPikHwoDEtuUXohylDF8nUrEgc/yWk8G3mCGwERnFubQPm0qPzUBJa/rU2XG0 Zfb7Q0YNrMG5xw4GuQQwKTIWgrm35qQLKJC07Ey3JM58TJ6Vykh+NwTulzU0mxwS0h79C8T9bzd GgMZo/GimWHH9xRrlucpwVKYH2M6WU35cscL7izLmnnQj7CN91Jlalm1JcU8WSRLNk2OU8X1LL/ 7PSchg= X-Received: by 2002:a05:7300:fb91:b0:304:e865:f7d1 with SMTP id 5a478bee46e88-3074fc2ff12mr4125947eec.25.1780591791994; Thu, 04 Jun 2026 09:49:51 -0700 (PDT) Received: from fx.tailc0aff1.ts.net ([206.206.192.132]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-3074df8076csm5762732eec.29.2026.06.04.09.49.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Jun 2026 09:49:51 -0700 (PDT) From: Weiming Shi To: Chas Williams <3chas3@gmail.com>, netdev@vger.kernel.org Cc: "David S . Miller" , Jakub Kicinski , Paolo Abeni , Eric Dumazet , Simon Horman , linux-atm-general@lists.sourceforge.net, linux-kernel@vger.kernel.org, Xiang Mei , Weiming Shi Subject: [PATCH net] net: atm: fix use-after-free in sigd_put_skb() Date: Thu, 4 Jun 2026 09:49:17 -0700 Message-ID: <20260604164916.2681964-2-bestswngs@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" sigd_put_skb() delivers a signalling message to the daemon socket named by the global @sigd pointer, ending in a call to sk_data_ready(). It reads @sigd with no synchronisation, so it can race with a close of the daemon socket: sigd_close() clears @sigd and the socket is then torn down and freed. Holding a reference on the socket is not enough to make this safe. The daemon fd close runs __sock_release(), which frees the struct socket -- and the wait queue that sk->sk_wq points at -- via iput() once ->release() has returned. sk_data_ready() (sock_def_readable()) then dereferences a freed sk_wq: Oops: general protection fault, probably for non-canonical address 0xdfff= fc0000000031: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000188-0x000000000000018f] RIP: 0010:sigd_put_skb (net/atm/signaling.c:65) sigd_enq2 (net/atm/signaling.c:228) sigd_enq (net/atm/signaling.c:237) svc_bind (net/atm/svc.c:135) __sys_bind __x64_sys_bind do_syscall_64 Fix it on both sides. sigd_close() now calls sock_orphan(), which under sk_callback_lock sets SOCK_DEAD and clears sk_wq before the socket is freed. sigd_put_skb() latches @sigd with READ_ONCE(), pins the socket with find_get_vcc(), and then takes sk_callback_lock; if the socket is already SOCK_DEAD it drops the skb, otherwise it delivers while the lock keeps sk_wq valid. sk_callback_lock is used rather than lock_sock() because sigd_put_skb() can be reached from vcc_sendmsg() -> sigd_send(), which already holds lock_sock() on the daemon socket. Triggering the race requires CAP_NET_ADMIN and CAP_SYS_RAWIO to attach the daemon. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Xiang Mei Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Weiming Shi --- net/atm/signaling.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/net/atm/signaling.c b/net/atm/signaling.c index b991d937205a..3dbe8e0fdc9a 100644 --- a/net/atm/signaling.c +++ b/net/atm/signaling.c @@ -54,14 +54,31 @@ static struct atm_vcc *find_get_vcc(struct atm_vcc *vcc) =20 static void sigd_put_skb(struct sk_buff *skb) { - if (!sigd) { + struct atm_vcc *vcc; + struct sock *sk; + + vcc =3D find_get_vcc(READ_ONCE(sigd)); + if (!vcc) { pr_debug("atmsvc: no signaling daemon\n"); kfree_skb(skb); return; } - atm_force_charge(sigd, skb->truesize); - skb_queue_tail(&sk_atm(sigd)->sk_receive_queue, skb); - sk_atm(sigd)->sk_data_ready(sk_atm(sigd)); + sk =3D sk_atm(vcc); + + /* Pairs with sock_orphan() in sigd_close(). */ + read_lock_bh(&sk->sk_callback_lock); + if (sock_flag(sk, SOCK_DEAD)) { + read_unlock_bh(&sk->sk_callback_lock); + sock_put(sk); + kfree_skb(skb); + return; + } + atm_force_charge(vcc, skb->truesize); + skb_queue_tail(&sk->sk_receive_queue, skb); + sk->sk_data_ready(sk); + read_unlock_bh(&sk->sk_callback_lock); + + sock_put(sk); } =20 static void modify_qos(struct atm_vcc *vcc, struct atmsvc_msg *msg) @@ -258,6 +275,9 @@ static void sigd_close(struct atm_vcc *vcc) pr_err("closing with requests pending\n"); skb_queue_purge(&sk_atm(vcc)->sk_receive_queue); =20 + /* Make a concurrent sigd_put_skb() observe SOCK_DEAD and bail. */ + sock_orphan(sk_atm(vcc)); + read_lock(&vcc_sklist_lock); for (i =3D 0; i < VCC_HTABLE_SIZE; ++i) { struct hlist_head *head =3D &vcc_hash[i]; --=20 2.43.0