Re: [PATCH net] appletalk: Hold socket reference in atalk_rcv()

Next message: Eduard Zingerman: "Re: [PATCH bpf-next 1/2] bpf: Preserve pointer spill metadata during half-slot cleanup"
Previous message: Gary Guo: "Re: [PATCH 04/13] gpu: nova-core: falcon: gsp: move PRIV target mask constants"
In reply to: Eric Dumazet: "Re: [PATCH net] appletalk: Hold socket reference in atalk_rcv()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jakub Kicinski

Date: Mon Jun 15 2026 - 13:23:20 EST

On Mon, 15 Jun 2026 09:53:59 -0700 Eric Dumazet wrote:
> > atalk_search_socket() walks the global atalk_sockets list while holding
> > atalk_sockets_lock, but it returns the matching socket after dropping the
> > lock without taking a reference. atalk_rcv() then passes that pointer to
> > sock_queue_rcv_skb().
> >
> > That leaves a race with close(). A concurrent atalk_release() can orphan
> > the socket, remove it from atalk_sockets, and drop the final reference via
> > atalk_destroy_socket(), freeing the socket before atalk_rcv() queues the
> > incoming skb.
> >
> > On a KASAN-enabled kernel this can be reproduced by racing AppleTalk DDP
> > delivery on loopback against close/rebind of the destination DGRAM socket:
> >
> > BUG: KASAN: slab-use-after-free in selinux_socket_sock_rcv_skb()
> > sk_filter_trim_cap()
> > sock_queue_rcv_skb_reason()
> > atalk_rcv()
> > snap_rcv()
> > llc_rcv()
> >
> > Take a reference on the selected socket before dropping
> > atalk_sockets_lock, and put it after sock_queue_rcv_skb() has finished.
> > This keeps the socket alive for the receive path without changing socket
> > lookup semantics. A malformed or racing receive still drops the skb on
> > queueing failure as before.
>
> No idea why linux still carries appletalk.
>
> MacOS dropped it 20 years ago.

Yes. Let me try to move it to mod-orphan.