PT-2026-36467 · Linux · Linux
Published
2026-05-01
·
Updated
2026-05-01
·
CVE-2026-43050
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
atm: lec: fix use-after-free in sock def readable()
A race condition exists between lec atm close() setting priv->lecd
to NULL and concurrent access to priv->lecd in send to lecd(),
lec handle bridge(), and lec atm send(). When the socket is freed
via RCU while another thread is still using it, a use-after-free
occurs in sock def readable() when accessing the socket's wait queue.
The root cause is that lec atm close() clears priv->lecd without
any synchronization, while callers dereference priv->lecd without
any protection against concurrent teardown.
Fix this by converting priv->lecd to an RCU-protected pointer:
- Mark priv->lecd as rcu in lec.h
- Use rcu assign pointer() in lec atm close() and lecd attach() for safe pointer assignment
- Use rcu access pointer() for NULL checks that do not dereference the pointer in lec start xmit(), lec push(), send to lecd() and lecd attach()
- Use rcu read lock/rcu dereference/rcu read unlock in send to lecd(), lec handle bridge() and lec atm send() to safely access lecd
- Use rcu assign pointer() followed by synchronize rcu() in lec atm close() to ensure all readers have completed before proceeding. This is safe since lec atm close() is called from vcc release() which holds lock sock(), a sleeping lock.
- Remove the manual sk receive queue drain from lec atm close() since vcc destroy socket() already drains it after lec atm close() returns.
v2: Switch from spinlock + sock hold/put approach to RCU to properly
fix the race. The v1 spinlock approach had two issues pointed out
by Eric Dumazet:
- priv->lecd was still accessed directly after releasing the lock instead of using a local copy.
- The spinlock did not prevent packets being queued after lec atm close() drains sk receive queue since timer and workqueue paths bypass netif stop queue().
Note: Syzbot patch testing was attempted but the test VM terminated
unexpectedly with "Connection to localhost closed by remote host",
likely due to a QEMU AHCI emulation issue unrelated to this fix.
Compile testing with "make W=1 net/atm/lec.o" passes cleanly.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux