vcc_sendmsg() checks VCC state flags (ATM_VF_RELEASED, ATM_VF_CLOSE,
ATM_VF_READY) before calling copy_from_iter_full(), but does not re-check
after copy returns. copy_from_iter_full() can block on user-space page
faults, and if the ATM device is deregistered during that window via
atm_dev_deregister() -> atm_dev_release_vccs() -> vcc_release_async(),
the driver frees its per-device private state. When sendmsg resumes, it
calls vcc->dev->ops->send() which dereferences the freed memory.

Re-check VCC flags after copy_from_iter_full() completes, matching the
existing re-check pattern in the TX-ready wait loop.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
---
 net/atm/common.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/atm/common.c b/net/atm/common.c
index fe77f51f6ce1..cfcbefaaafb2 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -641,6 +641,13 @@ int vcc_sendmsg(struct socket *sock, struct msghdr *m, size_t size)
 	if (eff != size)
 		memset(skb->data + size, 0, eff-size);
 
+	if (test_bit(ATM_VF_RELEASED, &vcc->flags) ||
+	    test_bit(ATM_VF_CLOSE, &vcc->flags) ||
+	    !test_bit(ATM_VF_READY, &vcc->flags)) {
+		error = -EPIPE;
+		goto free_skb;
+	}
+
 	if (vcc->dev->ops->pre_send) {
 		error = vcc->dev->ops->pre_send(vcc, skb);
 		if (error)
-- 
2.50.1 (Apple Git-155)