lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251022172045.57132-1-biancaa2210329@ssn.edu.in>
Date: Wed, 22 Oct 2025 22:50:45 +0530
From: Biancaa Ramesh <biancaa2210329@....edu.in>
To: davem@...emloft.net
Cc: edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Biancaa Ramesh <biancaa2210329@....edu.in>
Subject: [PATCH] Signed-off-by: Biancaa Ramesh <biancaa2210329@....edu.in>

net/llc: add socket locking in llc_conn_state_process to fix race conditions

The llc_conn_state_process function handles LLC socket state transitions and is called from timer callbacks and network packet processing.

Currently, there is a race condition due to concurrent access to the LLC socket's state machine and connection state without proper locking. This causes use-after-free, array out-of-bounds, and general protection faults due to invalid concurrent state access.

This patch adds socket bottom-half locking (bh_lock_sock and bh_unlock_sock) around the call to llc_conn_service() in llc_conn_state_process. This serializes access to the LLC state machine and protects against races with LLC socket freeing and timer callbacks.

It complements existing fixes that lock the socket during socket freeing (llc_sk_free) and timer cancellation.

This fix prevents Kernel Address Sanitizer (KASAN) null pointer dereferences, Undefined Behavior Sanitizer (UBSAN) array index out-of-bounds, and rare kernel panics due to LLC state races.

Reported-by: syzbot
---
 net/llc/llc_conn.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 5c0ac243b248..c4f852b2dff5 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -69,7 +69,9 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
 	/*
 	 * Send event to state machine
 	 */
+	bh_lock_sock(sk);  // Lock socket bottom-half before state machine processing
 	rc = llc_conn_service(skb->sk, skb);
+	bh_unlock_sock(sk);  // Unlock after processing
 	if (unlikely(rc != 0)) {
 		printk(KERN_ERR "%s: llc_conn_service failed\n", __func__);
 		goto out_skb_put;
-- 
2.43.0


-- 
::DISCLAIMER::

---------------------------------------------------------------------
The 
contents of this e-mail and any attachment(s) are confidential and
intended 
for the named recipient(s) only. Views or opinions, if any,
presented in 
this email are solely those of the author and may not
necessarily reflect 
the views or opinions of SSN Institutions (SSN) or its
affiliates. Any form 
of reproduction, dissemination, copying, disclosure,
modification, 
distribution and / or publication of this message without the
prior written 
consent of authorized representative of SSN is strictly
prohibited. If you 
have received this email in error please delete it and
notify the sender 
immediately.
---------------------------------------------------------------------
Header of this mail should have a valid DKIM signature for the domain 
ssn.edu.in <http://www.ssn.edu.in/>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ