Re: [PATCH v2] atm: lec: fix use-after-free in sock_def_readable()

Next message: patchwork-bot+netdevbpf: "Re: [PATCH net-next v3 0/6] tcp: RFC 7323-compliant window retraction handling"
Previous message: Trond Myklebust: "Re: [regression] Large rsize/wsize (1MB) causes EIO after 2b092175f5e3 (&quot;NFS: Fix inheritance of the block sizes when automounting&quot;)"
In reply to: Eric Dumazet: "Re: [PATCH v2] atm: lec: fix use-after-free in sock_def_readable()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Sat Mar 14 2026 - 11:40:23 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Mon, 9 Mar 2026 21:29:08 +0530 you wrote:
> A race condition exists between lec_atm_close() setting priv->lecd
> to NULL and concurrent access to priv->lecd in send_to_lecd(),
> lec_handle_bridge(), and lec_atm_send(). When the socket is freed
> via RCU while another thread is still using it, a use-after-free
> occurs in sock_def_readable() when accessing the socket's wait queue.
>
> The root cause is that lec_atm_close() clears priv->lecd without
> any synchronization, while callers dereference priv->lecd without
> any protection against concurrent teardown.
>
> [...]

Here is the summary with links:
- [v2] atm: lec: fix use-after-free in sock_def_readable()
https://git.kernel.org/netdev/net/c/922814879542

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html