Re: [PATCH] llc: Fix NULL pointer dereference in llc_conn_state_process() when sk_socket is NULL

Next message: Vincent Mailhol: "Re: [PATCH v1] can: flexcan: Drop unused platform driver data"
Previous message: jianyu.li: "[PATCH net v2 1/2] af_unix: Fix inq_len update problem in partial read"
In reply to: Jiakai Xu: "[PATCH] llc: Fix NULL pointer dereference in llc_conn_state_process() when sk_socket is NULL"
Next in thread: Jiakai Xu: "Re: [PATCH] llc: Fix NULL pointer dereference in llc_conn_state_process() when sk_socket is NULL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Abeni

Date: Thu May 28 2026 - 07:01:48 EST

On 5/26/26 3:35 AM, Jiakai Xu wrote:
> diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
> index 5c0ac243b248f..de65c452f6e68 100644
> --- a/net/llc/llc_conn.c
> +++ b/net/llc/llc_conn.c
> @@ -101,7 +101,8 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
> case LLC_DISC_PRIM:
> sock_hold(sk);
> if (sk->sk_type == SOCK_STREAM &&
> - sk->sk_state == TCP_ESTABLISHED) {
> + sk->sk_state == TCP_ESTABLISHED &&
> + sk->sk_socket) {
> sk->sk_shutdown = SHUTDOWN_MASK;
> sk->sk_socket->state = SS_UNCONNECTED;

sk orphaning happens outside the sk socket lock, and before the timer is
cancelled. sk_socket can still be cleared after the previous check and
before this access. You probably need to move the sock_orphan() call in
lc_sk_free(), after stopping the timers.

/P