Re: [PATCH v2] atm: fix use-after-free in sigd_put_skb()

Next message: Alexander Gordeev: "[PATCH v3 2/7] s390/mm: Complete ptep_get() conversion"
Previous message: Alexander Gordeev: "[PATCH v3 0/7] s390/mm: Batch PTE updates in lazy MMU mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Weiming Shi

Date: Tue Jun 16 2026 - 08:41:21 EST

On Sat Jun 13, 2026 at 7:10 AM CST, Jakub Kicinski wrote:
> On Wed, 10 Jun 2026 00:21:08 +0800 Weiming Shi wrote:
>> sigd_put_skb() delivers a signalling message to the daemon socket named
>> by the global @sigd pointer, ending in a call to sk_data_ready(). It
>> reads @sigd with no synchronisation, so it can race with a close of the
>> daemon socket: sigd_close() clears @sigd and the socket is then torn
>> down and freed.
>
> Hm, we intend to only retain the portions of the ATM stack which are
> still used in PPPoATM and ADSL. I don't believe the signaling stuff
> is used there. I will post a patch to delete this code.

Thanks, that makes sense to me.