Re: [PATCH v2] atm: lec: fix use-after-free in sock_def_readable()

Next message: Mi, Dapeng: "Re: [PATCH v2] perf/x86: Move event pointer setup earlier in x86_pmu_enable()"
Previous message: Shawn Jin: "Re: [BUG] PCIe bridge resource allocation creates invalid limit addresses after Secondary Bus Reset recovery"
In reply to: Hillf Danton: "Re: [PATCH v2] atm: lec: fix use-after-free in sock_def_readable()"
Next in thread: Hillf Danton: "Re: [PATCH v2] atm: lec: fix use-after-free in sock_def_readable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Deepanshu Kartikey

Date: Wed Mar 11 2026 - 21:04:17 EST

On Tue, Mar 10, 2026 at 8:48 AM Hillf Danton <hdanton@xxxxxxxx> wrote:
>
> At this point priv->lecd is no longer used, so why not make lecd valid
> throughout the lifespan of priv and free it after stopping dev queue,
> instead of the tedious rcu trick?
>

Thank you for the suggestion.

I investigated this approach. While netif_stop_queue() stops
the TX path and cancel_delayed_work_sync() in lec_arp_destroy()
stops lec_arp_work, the bug is actually triggered from
mld_ifc_work (IPv6 multicast workqueue) which calls:

mld_ifc_work -> mld_sendpack -> ip6_output
-> lec_start_xmit -> lec_arp_resolve -> send_to_lecd

This workqueue belongs to the IPv6 multicast subsystem and
is completely outside ATM/LEC control. Neither
netif_stop_queue() nor lec_arp_destroy() can stop it, so
simply reordering the calls in lec_atm_close() would not
fix the race.

The RCU approach with synchronize_rcu() ensures ALL callers
including mld_ifc_work have finished before priv->lecd is
cleared.

Deepanshu Kartikey