tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

atm: lec: fix null-ptr-deref in lec_arp_clear_vccs

syzkaller reported a null-ptr-deref in lec_arp_clear_vccs().
This issue can be easily reproduced using the syzkaller reproducer.

In the ATM LANE (LAN Emulation) module, the same atm_vcc can be shared by
multiple lec_arp_table entries (e.g., via entry->vcc or entry->recv_vcc).
When the underlying VCC is closed, lec_vcc_close() iterates over all
ARP entries and calls lec_arp_clear_vccs() for each matched entry.

For example, when lec_vcc_close() iterates through the hlists in
priv->lec_arp_empty_ones or other ARP tables:

1. In the first iteration, for the first matched ARP entry sharing the VCC,
lec_arp_clear_vccs() frees the associated vpriv (which is vcc->user_back)
and sets vcc->user_back to NULL.
2. In the second iteration, for the next matched ARP entry sharing the same
VCC, lec_arp_clear_vccs() is called again. It obtains a NULL vpriv from
vcc->user_back (via LEC_VCC_PRIV(vcc)) and then attempts to dereference it
via `vcc->pop = vpriv->old_pop`, leading to a null-ptr-deref crash.

Fix this by adding a null check for vpriv before dereferencing
it. If vpriv is already NULL, it means the VCC has been cleared
by a previous call, so we can safely skip the cleanup and just
clear the entry's vcc/recv_vcc pointers.

The entire cleanup block (including vcc_release_async()) is placed inside
the vpriv guard because a NULL vpriv indicates the VCC has already been
fully released by a prior iteration — repeating the teardown would
redundantly set flags and trigger callbacks on an already-closing socket.

The Fixes tag points to the initial commit because the entry->vcc path has
been vulnerable since the original code. The entry->recv_vcc path was later
added by commit 8d9f73c0ad2f ("atm: fix a memory leak of vcc->user_back")
with the same pattern, and both paths are fixed here.

Reported-by: syzbot+72e3ea390c305de0e259@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68c95a83.050a0220.3c6139.0e5c.GAE@google.com/T/
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260225123250.189289-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Jiayuan Chen and committed by
Jakub Kicinski 101bacb3 74badb9c

+15 -11
+15 -11
net/atm/lec.c
··· 1260 1260 struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc); 1261 1261 struct net_device *dev = (struct net_device *)vcc->proto_data; 1262 1262 1263 - vcc->pop = vpriv->old_pop; 1264 - if (vpriv->xoff) 1265 - netif_wake_queue(dev); 1266 - kfree(vpriv); 1267 - vcc->user_back = NULL; 1268 - vcc->push = entry->old_push; 1269 - vcc_release_async(vcc, -EPIPE); 1263 + if (vpriv) { 1264 + vcc->pop = vpriv->old_pop; 1265 + if (vpriv->xoff) 1266 + netif_wake_queue(dev); 1267 + kfree(vpriv); 1268 + vcc->user_back = NULL; 1269 + vcc->push = entry->old_push; 1270 + vcc_release_async(vcc, -EPIPE); 1271 + } 1270 1272 entry->vcc = NULL; 1271 1273 } 1272 1274 if (entry->recv_vcc) { 1273 1275 struct atm_vcc *vcc = entry->recv_vcc; 1274 1276 struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc); 1275 1277 1276 - kfree(vpriv); 1277 - vcc->user_back = NULL; 1278 + if (vpriv) { 1279 + kfree(vpriv); 1280 + vcc->user_back = NULL; 1278 1281 1279 - entry->recv_vcc->push = entry->old_recv_push; 1280 - vcc_release_async(entry->recv_vcc, -EPIPE); 1282 + entry->recv_vcc->push = entry->old_recv_push; 1283 + vcc_release_async(entry->recv_vcc, -EPIPE); 1284 + } 1281 1285 entry->recv_vcc = NULL; 1282 1286 } 1283 1287 }