Re: [PATCH net] appletalk: Hold socket reference in atalk_rcv()

Next message: Andrew Lunn: "Re: [PATCH] net: ehea: unwind probe_port sysfs file on failure"
Previous message: Ian Rogers: "Re: [PATCH 02/13] perf symbols: Validate p_filesz before use in filename__read_build_id()"
In reply to: Simon Horman: "Re: [PATCH net] appletalk: Hold socket reference in atalk_rcv()"
Next in thread: Jakub Kicinski: "Re: [PATCH net] appletalk: Hold socket reference in atalk_rcv()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Mon Jun 15 2026 - 13:08:01 EST

On Sun, Jun 14, 2026 at 2:52 AM Yizhou Zhao
<zhaoyz24@xxxxxxxxxxxxxxxxxxxxx> wrote:
>
> atalk_search_socket() walks the global atalk_sockets list while holding
> atalk_sockets_lock, but it returns the matching socket after dropping the
> lock without taking a reference. atalk_rcv() then passes that pointer to
> sock_queue_rcv_skb().
>
> That leaves a race with close(). A concurrent atalk_release() can orphan
> the socket, remove it from atalk_sockets, and drop the final reference via
> atalk_destroy_socket(), freeing the socket before atalk_rcv() queues the
> incoming skb.
>
> On a KASAN-enabled kernel this can be reproduced by racing AppleTalk DDP
> delivery on loopback against close/rebind of the destination DGRAM socket:
>
> BUG: KASAN: slab-use-after-free in selinux_socket_sock_rcv_skb()
> sk_filter_trim_cap()
> sock_queue_rcv_skb_reason()
> atalk_rcv()
> snap_rcv()
> llc_rcv()
>
> Take a reference on the selected socket before dropping
> atalk_sockets_lock, and put it after sock_queue_rcv_skb() has finished.
> This keeps the socket alive for the receive path without changing socket
> lookup semantics. A malformed or racing receive still drops the skb on
> queueing failure as before.

No idea why linux still carries appletalk.

MacOS dropped it 20 years ago.