Re: [syzbot] [net?] KASAN: slab-use-after-free Read in sock_def_readable (2)

Next message: Ratheesh Kannoth: "[PATCH v4 net-next 3/5] octeontx2-af: npc: cn20k: add subbank search order control"
Previous message: Pei Xiao: "Re: [PATCH v2 2/2] spi: atcspi200: fix mutex initialization order"
In reply to: syzbot: "Forwarded: [PATCH] atm: lec: fix use-after-free in sock_def_readable()"
Next in thread: syzbot: "Re: [syzbot] [net?] KASAN: slab-use-after-free Read in sock_def_readable (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hillf Danton

Date: Wed Mar 11 2026 - 22:27:07 EST

#syz test

--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -471,12 +471,14 @@ static void lec_atm_close(struct atm_vcc
struct sk_buff *skb;
struct net_device *dev = (struct net_device *)vcc->proto_data;
struct lec_priv *priv = netdev_priv(dev);
+ struct sock *sk = sk_atm(priv->lecd);

priv->lecd = NULL;
/* Do something needful? */

netif_stop_queue(dev);
lec_arp_destroy(priv);
+ sock_put(sk);

if (skb_peek(&sk_atm(vcc)->sk_receive_queue))
pr_info("%s closing with messages pending\n", dev->name);
@@ -761,6 +763,7 @@ static int lecd_attach(struct atm_vcc *v
priv->lecd = vcc;
vcc->dev = &lecatm_dev;
vcc_insert_socket(sk_atm(vcc));
+ sock_hold(sk_atm(vcc));

vcc->proto_data = dev_lec[i];
set_bit(ATM_VF_META, &vcc->flags);
--