Re: [PATCH] llc: Fix NULL pointer dereference in llc_conn_state_process() when sk_socket is NULL

Next message: patchwork-bot+netdevbpf: "Re: [PATCH v1 0/8] zorro: Improve handling of pointers in zorro_device_id::driver_data"
Previous message: SeongJae Park: "Re: [PATCH v5 09/18] mm: add MM_CP_UFFD_RWP change_protection() flag"
In reply to: Paolo Abeni: "Re: [PATCH] llc: Fix NULL pointer dereference in llc_conn_state_process() when sk_socket is NULL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiakai Xu

Date: Thu May 28 2026 - 21:21:16 EST

Thanks for your review!

> > diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
> > index 5c0ac243b248f..de65c452f6e68 100644
> > --- a/net/llc/llc_conn.c
> > +++ b/net/llc/llc_conn.c
> > @@ -101,7 +101,8 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
> > case LLC_DISC_PRIM:
> > sock_hold(sk);
> > if (sk->sk_type == SOCK_STREAM &&
> > - sk->sk_state == TCP_ESTABLISHED) {
> > + sk->sk_state == TCP_ESTABLISHED &&
> > + sk->sk_socket) {
> > sk->sk_shutdown = SHUTDOWN_MASK;
> > sk->sk_socket->state = SS_UNCONNECTED;
>
> sk orphaning happens outside the sk socket lock, and before the timer is
> cancelled. sk_socket can still be cleared after the previous check and
> before this access. You probably need to move the sock_orphan() call in
> lc_sk_free(), after stopping the timers.

You are right. I'll send a v2 patch later.

Regards,
Jiakai