* [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
@ 2024-08-09 16:27 syzbot
2024-08-12 9:28 ` [syzbot] " syzbot
` (9 more replies)
0 siblings, 10 replies; 18+ messages in thread
From: syzbot @ 2024-08-09 16:27 UTC (permalink / raw)
To: agordeev, alibuda, davem, edumazet, guwen, jaka, kuba,
linux-kernel, linux-s390, netdev, pabeni, syzkaller-bugs, tonylu,
wenjia
Hello,
syzbot found the following issue on:
HEAD commit: d7e78951a8b8 Merge tag 'net-6.11-rc0' of git://git.kernel...
git tree: net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=173cfd3d980000
kernel config: https://syzkaller.appspot.com/x/.config?x=a6f4e2cb79bdcd45
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15900a9d980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1008b645980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b22bae2c3c1/disk-d7e78951.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/37db35e4bb64/vmlinux-d7e78951.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e489cf2c28e/bzImage-d7e78951.xz
Bisection is inconclusive: the first bad commit could be any of:
5bcd9a0a5995 wifi: brcm80211: remove unused structs
f29dcae96ec8 Merge tag 'rtw-next-2024-06-04' of https://github.com/pkshih/rtw
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17196f19980000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 6338 Comm: syz-executor175 Not tainted 6.10.0-syzkaller-09703-gd7e78951a8b8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89
RSP: 0018:ffffc90009d56b00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff88807c439e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc90009d56f90 R08: ffffffff8990c562 R09: 1ffff11005a1084b
R10: dffffc0000000000 R11: ffffed1005a1084c R12: 1ffff11005a108e0
R13: ffff88801f600014 R14: ffff88802d084200 R15: dffffc0000000000
FS: 00007f92fcb0b6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92fcb0bd58 CR3: 000000002290e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325
__netlink_dump_start+0x59f/0x780 net/netlink/af_netlink.c:2440
netlink_dump_start include/linux/netlink.h:339 [inline]
smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
sock_diag_rcv_msg+0x3dc/0x5f0
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
sock_sendmsg+0x134/0x200 net/socket.c:768
splice_to_socket+0xa13/0x10b0 fs/splice.c:889
do_splice_from fs/splice.c:941 [inline]
do_splice+0xd77/0x1900 fs/splice.c:1354
__do_splice fs/splice.c:1436 [inline]
__do_sys_splice fs/splice.c:1652 [inline]
__se_sys_splice+0x331/0x4a0 fs/splice.c:1634
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f92fcb924d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f92fcb0b218 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f92fcb0b6c0 RCX: 00007f92fcb924d9
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f92fcc1c348 R08: 0000000080000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92fcc1c340
R13: 00007f92fcbe9074 R14: 00007ffd7bd61c20 R15: 00007ffd7bd61d08
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89
RSP: 0018:ffffc90009d56b00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff88807c439e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc90009d56f90 R08: ffffffff8990c562 R09: 1ffff11005a1084b
R10: dffffc0000000000 R11: ffffed1005a1084c R12: 1ffff11005a108e0
R13: ffff88801f600014 R14: ffff88802d084200 R15: dffffc0000000000
FS: 00007f92fcb0b6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92fcb0bd58 CR3: 000000002290e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 48 89 or %cl,-0x77(%rax)
3: df e8 fucomip %st(0),%st
5: f8 clc
6: 0d 9d f6 48 8b or $0x8b48f69d,%eax
b: 44 24 28 rex.R and $0x28,%al
e: 4c 8d 68 14 lea 0x14(%rax),%r13
12: 48 8b 1b mov (%rbx),%rbx
15: 48 83 c3 0e add $0xe,%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
27: fc ff df
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 46 1b 00 00 jne 0x1b7d
37: 0f b7 1b movzwl (%rbx),%ebx
3a: 66 c1 c3 08 rol $0x8,%bx
3e: 4c rex.WR
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 18+ messages in thread* Re: [syzbot] Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot @ 2024-08-12 9:28 ` syzbot 2024-08-13 1:16 ` syzbot ` (8 subsequent siblings) 9 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2024-08-12 9:28 UTC (permalink / raw) To: linux-kernel For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org. *** Subject: Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto Author: lizhi.xu@windriver.com out already closed #syz test: net-next d7e78951a8b8 diff --git a/fs/splice.c b/fs/splice.c index 60aed8de21f8..67a5965c0793 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -1647,7 +1647,7 @@ SYSCALL_DEFINE6(splice, int, fd_in, loff_t __user *, off_in, error = -EBADF; in = fdget(fd_in); if (in.file) { - out = fdget(fd_out); + out = fdget_raw(fd_out); if (out.file) { error = __do_splice(in.file, off_in, out.file, off_out, len, flags); ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot 2024-08-12 9:28 ` [syzbot] " syzbot @ 2024-08-13 1:16 ` syzbot 2024-08-13 3:21 ` syzbot ` (7 subsequent siblings) 9 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2024-08-13 1:16 UTC (permalink / raw) To: linux-kernel For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org. *** Subject: Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto Author: aha310510@gmail.com #syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master --- net/smc/smc.h | 19 ++++++++++--------- net/smc/smc_inet.c | 24 +++++++++++++++--------- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/net/smc/smc.h b/net/smc/smc.h index 34b781e463c4..f4d9338b5ed5 100644 --- a/net/smc/smc.h +++ b/net/smc/smc.h @@ -284,15 +284,6 @@ struct smc_connection { struct smc_sock { /* smc sock container */ struct sock sk; - struct socket *clcsock; /* internal tcp socket */ - void (*clcsk_state_change)(struct sock *sk); - /* original stat_change fct. */ - void (*clcsk_data_ready)(struct sock *sk); - /* original data_ready fct. */ - void (*clcsk_write_space)(struct sock *sk); - /* original write_space fct. */ - void (*clcsk_error_report)(struct sock *sk); - /* original error_report fct. */ struct smc_connection conn; /* smc connection */ struct smc_sock *listen_smc; /* listen parent */ struct work_struct connect_work; /* handle non-blocking connect*/ @@ -325,6 +316,16 @@ struct smc_sock { /* smc sock container */ /* protects clcsock of a listen * socket * */ + struct socket *clcsock; /* internal tcp socket */ + void (*clcsk_state_change)(struct sock *sk); + /* original stat_change fct. */ + void (*clcsk_data_ready)(struct sock *sk); + /* original data_ready fct. */ + void (*clcsk_write_space)(struct sock *sk); + /* original write_space fct. */ + void (*clcsk_error_report)(struct sock *sk); + /* original error_report fct. */ + }; #define smc_sk(ptr) container_of_const(ptr, struct smc_sock, sk) diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c index bece346dd8e9..3c54faef6042 100644 --- a/net/smc/smc_inet.c +++ b/net/smc/smc_inet.c @@ -60,16 +60,22 @@ static struct inet_protosw smc_inet_protosw = { }; #if IS_ENABLED(CONFIG_IPV6) +struct smc6_sock { + struct smc_sock smc; + struct ipv6_pinfo np; +}; + static struct proto smc_inet6_prot = { - .name = "INET6_SMC", - .owner = THIS_MODULE, - .init = smc_inet_init_sock, - .hash = smc_hash_sk, - .unhash = smc_unhash_sk, - .release_cb = smc_release_cb, - .obj_size = sizeof(struct smc_sock), - .h.smc_hash = &smc_v6_hashinfo, - .slab_flags = SLAB_TYPESAFE_BY_RCU, + .name = "INET6_SMC", + .owner = THIS_MODULE, + .init = smc_inet_init_sock, + .hash = smc_hash_sk, + .unhash = smc_unhash_sk, + .release_cb = smc_release_cb, + .obj_size = sizeof(struct smc6_sock), + .h.smc_hash = &smc_v6_hashinfo, + .slab_flags = SLAB_TYPESAFE_BY_RCU, + .ipv6_pinfo_offset = offsetof(struct smc6_sock, np), }; static const struct proto_ops smc_inet6_stream_ops = { -- ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot 2024-08-12 9:28 ` [syzbot] " syzbot 2024-08-13 1:16 ` syzbot @ 2024-08-13 3:21 ` syzbot 2024-09-18 9:05 ` Jeongjun Park ` (6 subsequent siblings) 9 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2024-08-13 3:21 UTC (permalink / raw) To: linux-kernel For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org. *** Subject: Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto Author: aha310510@gmail.com #syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master --- net/smc/smc.h | 19 ++++++++++--------- net/smc/smc_inet.c | 24 +++++++++++++++--------- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/net/smc/smc.h b/net/smc/smc.h index 34b781e463c4..f4d9338b5ed5 100644 --- a/net/smc/smc.h +++ b/net/smc/smc.h @@ -284,15 +284,6 @@ struct smc_connection { struct smc_sock { /* smc sock container */ struct sock sk; - struct socket *clcsock; /* internal tcp socket */ - void (*clcsk_state_change)(struct sock *sk); - /* original stat_change fct. */ - void (*clcsk_data_ready)(struct sock *sk); - /* original data_ready fct. */ - void (*clcsk_write_space)(struct sock *sk); - /* original write_space fct. */ - void (*clcsk_error_report)(struct sock *sk); - /* original error_report fct. */ struct smc_connection conn; /* smc connection */ struct smc_sock *listen_smc; /* listen parent */ struct work_struct connect_work; /* handle non-blocking connect*/ @@ -325,6 +316,16 @@ struct smc_sock { /* smc sock container */ /* protects clcsock of a listen * socket * */ + struct socket *clcsock; /* internal tcp socket */ + void (*clcsk_state_change)(struct sock *sk); + /* original stat_change fct. */ + void (*clcsk_data_ready)(struct sock *sk); + /* original data_ready fct. */ + void (*clcsk_write_space)(struct sock *sk); + /* original write_space fct. */ + void (*clcsk_error_report)(struct sock *sk); + /* original error_report fct. */ + }; #define smc_sk(ptr) container_of_const(ptr, struct smc_sock, sk) diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c index bece346dd8e9..3c54faef6042 100644 --- a/net/smc/smc_inet.c +++ b/net/smc/smc_inet.c @@ -60,16 +60,22 @@ static struct inet_protosw smc_inet_protosw = { }; #if IS_ENABLED(CONFIG_IPV6) +struct smc6_sock { + struct smc_sock smc; + struct ipv6_pinfo np; +}; + static struct proto smc_inet6_prot = { - .name = "INET6_SMC", - .owner = THIS_MODULE, - .init = smc_inet_init_sock, - .hash = smc_hash_sk, - .unhash = smc_unhash_sk, - .release_cb = smc_release_cb, - .obj_size = sizeof(struct smc_sock), - .h.smc_hash = &smc_v6_hashinfo, - .slab_flags = SLAB_TYPESAFE_BY_RCU, + .name = "INET6_SMC", + .owner = THIS_MODULE, + .init = smc_inet_init_sock, + .hash = smc_hash_sk, + .unhash = smc_unhash_sk, + .release_cb = smc_release_cb, + .obj_size = sizeof(struct smc6_sock), + .h.smc_hash = &smc_v6_hashinfo, + .slab_flags = SLAB_TYPESAFE_BY_RCU, + .ipv6_pinfo_offset = offsetof(struct smc6_sock, np), }; static const struct proto_ops smc_inet6_stream_ops = { -- ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot ` (2 preceding siblings ...) 2024-08-13 3:21 ` syzbot @ 2024-09-18 9:05 ` Jeongjun Park 2024-09-18 12:13 ` syzbot 2024-09-18 16:04 ` Jeongjun Park ` (5 subsequent siblings) 9 siblings, 1 reply; 18+ messages in thread From: Jeongjun Park @ 2024-09-18 9:05 UTC (permalink / raw) To: syzbot+f69bfae0a4eb29976e44; +Cc: syzkaller-bugs, linux-kernel #syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto 2024-09-18 9:05 ` Jeongjun Park @ 2024-09-18 12:13 ` syzbot 0 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2024-09-18 12:13 UTC (permalink / raw) To: aha310510, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in smc_diag_dump_proto Oops: general protection fault, probably for non-canonical address 0xdffffc00000a2403: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: probably user-memory-access in range [0x0000000000512018-0x000000000051201f] CPU: 0 UID: 0 PID: 6007 Comm: syz.1.56 Not tainted 6.11.0-syzkaller-05026-g39b3f4e0db5d-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline] RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217 Code: 80 3c 2c 00 74 08 48 89 df e8 13 47 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 e8 46 96 f6 48 8b 44 24 28 4c 8d RSP: 0018:ffffc9000232eb00 EFLAGS: 00010206 RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888021765a00 RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 RBP: ffffc9000232ef90 R08: ffffffff89984322 R09: 1ffff1100478378b R10: dffffc0000000000 R11: ffffed100478378c R12: 1ffff1100478382b R13: dffffc0000000000 R14: ffff888023c1bc00 R15: ffff88806a9a8010 FS: 00007f10eb3d36c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f10eb3d2fa8 CR3: 0000000029d36000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236 netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325 __netlink_dump_start+0x5a2/0x790 net/netlink/af_netlink.c:2440 netlink_dump_start include/linux/netlink.h:339 [inline] smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251 sock_diag_rcv_msg+0x3dc/0x5f0 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 sock_sendmsg+0x134/0x200 net/socket.c:768 splice_to_socket+0xa10/0x10b0 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] do_splice+0xd68/0x18e0 fs/splice.c:1354 __do_splice fs/splice.c:1436 [inline] __do_sys_splice fs/splice.c:1652 [inline] __se_sys_splice+0x331/0x4a0 fs/splice.c:1634 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f10ea575f19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f10eb3d3048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007f10ea706038 RCX: 00007f10ea575f19 RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f10ea5e4e68 R08: 0000000080000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f10ea706038 R15: 00007ffc7d1ca708 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline] RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217 Code: 80 3c 2c 00 74 08 48 89 df e8 13 47 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 e8 46 96 f6 48 8b 44 24 28 4c 8d RSP: 0018:ffffc9000232eb00 EFLAGS: 00010206 RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888021765a00 RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 RBP: ffffc9000232ef90 R08: ffffffff89984322 R09: 1ffff1100478378b R10: dffffc0000000000 R11: ffffed100478378c R12: 1ffff1100478382b R13: dffffc0000000000 R14: ffff888023c1bc00 R15: ffff88806a9a8010 FS: 00007f10eb3d36c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f10eb3d2fa8 CR3: 0000000029d36000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 80 3c 2c 00 cmpb $0x0,(%rsp,%rbp,1) 4: 74 08 je 0xe 6: 48 89 df mov %rbx,%rdi 9: e8 13 47 96 f6 call 0xf6964721 e: 48 89 5c 24 30 mov %rbx,0x30(%rsp) 13: 48 8b 1b mov (%rbx),%rbx 16: 48 85 db test %rbx,%rbx 19: 0f 84 2d 02 00 00 je 0x24c 1f: 48 83 c3 18 add $0x18,%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 e8 46 96 f6 call 0xf6964721 39: 48 8b 44 24 28 mov 0x28(%rsp),%rax 3e: 4c rex.WR 3f: 8d .byte 0x8d Tested on: commit: 39b3f4e0 Merge tag 'hardening-v6.12-rc1' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17a1c4a9980000 kernel config: https://syzkaller.appspot.com/x/.config?x=5c3b301db2ae9f24 dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 Note: no patches were applied. ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot ` (3 preceding siblings ...) 2024-09-18 9:05 ` Jeongjun Park @ 2024-09-18 16:04 ` Jeongjun Park 2024-09-18 16:43 ` syzbot 2024-09-19 12:43 ` Jeongjun Park ` (4 subsequent siblings) 9 siblings, 1 reply; 18+ messages in thread From: Jeongjun Park @ 2024-09-18 16:04 UTC (permalink / raw) To: syzbot+f69bfae0a4eb29976e44; +Cc: syzkaller-bugs, linux-kernel #syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master --- net/smc/smc_inet.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c index a5b2041600f9..e101c8eee187 100644 --- a/net/smc/smc_inet.c +++ b/net/smc/smc_inet.c @@ -111,11 +111,17 @@ static struct inet_protosw smc_inet6_protosw = { static int smc_inet_init_sock(struct sock *sk) { struct net *net = sock_net(sk); + int rc; /* init common smc sock */ smc_sk_init(net, sk, IPPROTO_SMC); /* create clcsock */ - return smc_create_clcsk(net, sk, sk->sk_family); + rc = smc_create_clcsk(net, sk, sk->sk_family); + + if (rc) + sk_common_release(sk); + + return rc; } int __init smc_inet_init(void) -- ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto 2024-09-18 16:04 ` Jeongjun Park @ 2024-09-18 16:43 ` syzbot 0 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2024-09-18 16:43 UTC (permalink / raw) To: aha310510, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in smc_diag_dump_proto Oops: general protection fault, probably for non-canonical address 0xdffffc00000a2403: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: probably user-memory-access in range [0x0000000000512018-0x000000000051201f] CPU: 0 UID: 0 PID: 6289 Comm: syz.1.16 Not tainted 6.11.0-syzkaller-05319-g4a39ac5b7d62-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline] RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217 Code: 80 3c 2c 00 74 08 48 89 df e8 a3 3a 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 78 3a 96 f6 48 8b 44 24 28 4c 8d RSP: 0018:ffffc900030beb00 EFLAGS: 00010206 RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888026420000 RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 RBP: ffffc900030bef90 R08: ffffffff89989932 R09: 1ffff1100c1b418b R10: dffffc0000000000 R11: ffffed100c1b418c R12: 1ffff1100c1b422b R13: dffffc0000000000 R14: ffff888060da0c00 R15: ffff88806f750010 FS: 00007f5aa99ff6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5aa99fefa8 CR3: 0000000023558000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236 netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325 __netlink_dump_start+0x5a2/0x790 net/netlink/af_netlink.c:2440 netlink_dump_start include/linux/netlink.h:339 [inline] smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251 sock_diag_rcv_msg+0x3dc/0x5f0 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 sock_sendmsg+0x134/0x200 net/socket.c:768 splice_to_socket+0xa10/0x10b0 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] do_splice+0xd68/0x18e0 fs/splice.c:1354 __do_splice fs/splice.c:1436 [inline] __do_sys_splice fs/splice.c:1652 [inline] __se_sys_splice+0x331/0x4a0 fs/splice.c:1634 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5aa9f75f19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5aa99ff048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007f5aaa106038 RCX: 00007f5aa9f75f19 RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f5aa9fe4e68 R08: 0000000080000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f5aaa106038 R15: 00007ffe5e8646f8 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline] RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217 Code: 80 3c 2c 00 74 08 48 89 df e8 a3 3a 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 78 3a 96 f6 48 8b 44 24 28 4c 8d RSP: 0018:ffffc900030beb00 EFLAGS: 00010206 RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888026420000 RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 RBP: ffffc900030bef90 R08: ffffffff89989932 R09: 1ffff1100c1b418b R10: dffffc0000000000 R11: ffffed100c1b418c R12: 1ffff1100c1b422b R13: dffffc0000000000 R14: ffff888060da0c00 R15: ffff88806f750010 FS: 00007f5aa99ff6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5aa99fefa8 CR3: 0000000023558000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 80 3c 2c 00 cmpb $0x0,(%rsp,%rbp,1) 4: 74 08 je 0xe 6: 48 89 df mov %rbx,%rdi 9: e8 a3 3a 96 f6 call 0xf6963ab1 e: 48 89 5c 24 30 mov %rbx,0x30(%rsp) 13: 48 8b 1b mov (%rbx),%rbx 16: 48 85 db test %rbx,%rbx 19: 0f 84 2d 02 00 00 je 0x24c 1f: 48 83 c3 18 add $0x18,%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 78 3a 96 f6 call 0xf6963ab1 39: 48 8b 44 24 28 mov 0x28(%rsp),%rax 3e: 4c rex.WR 3f: 8d .byte 0x8d Tested on: commit: 4a39ac5b Merge tag 'random-6.12-rc1-for-linus' of git:.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=102c269f980000 kernel config: https://syzkaller.appspot.com/x/.config?x=5c3b301db2ae9f24 dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=125fc4a9980000 ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot ` (4 preceding siblings ...) 2024-09-18 16:04 ` Jeongjun Park @ 2024-09-19 12:43 ` Jeongjun Park 2024-09-19 17:34 ` syzbot 2025-12-07 4:29 ` [syzbot] [smc?] " syzbot ` (3 subsequent siblings) 9 siblings, 1 reply; 18+ messages in thread From: Jeongjun Park @ 2024-09-19 12:43 UTC (permalink / raw) To: syzbot+f69bfae0a4eb29976e44; +Cc: syzkaller-bugs, linux-kernel #syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master --- net/smc/af_smc.c | 176 +++++++++++++++++++-------------------- net/smc/smc.h | 7 +- net/smc/smc_cdc.c | 40 ++++----- net/smc/smc_clc.c | 28 +++---- net/smc/smc_close.c | 16 ++-- net/smc/smc_core.c | 68 +++++++-------- net/smc/smc_rx.c | 16 ++-- net/smc/smc_stats.h | 10 +-- net/smc/smc_tracepoint.h | 4 +- net/smc/smc_tx.c | 28 +++---- 10 files changed, 195 insertions(+), 198 deletions(-) diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c index 8e3093938cd2..d2783e715604 100644 --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -132,7 +132,7 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, sk->sk_max_ack_backlog) goto drop; - if (sk_acceptq_is_full(&smc->sk)) { + if (sk_acceptq_is_full(&smc->inet.sk)) { NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS); goto drop; } @@ -262,7 +262,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc) static void smc_restore_fallback_changes(struct smc_sock *smc) { if (smc->clcsock->file) { /* non-accepted sockets have no file yet */ - smc->clcsock->file->private_data = smc->sk.sk_socket; + smc->clcsock->file->private_data = smc->inet.sk.sk_socket; smc->clcsock->file = NULL; smc_fback_restore_callbacks(smc); } @@ -270,7 +270,7 @@ static void smc_restore_fallback_changes(struct smc_sock *smc) static int __smc_release(struct smc_sock *smc) { - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; int rc = 0; if (!smc->use_fallback) { @@ -327,7 +327,7 @@ int smc_release(struct socket *sock) tcp_abort(smc->clcsock->sk, ECONNABORTED); if (cancel_work_sync(&smc->connect_work)) - sock_put(&smc->sk); /* sock_hold in smc_connect for passive closing */ + sock_put(&smc->inet.sk); /* sock_hold in smc_connect for passive closing */ if (sk->sk_state == SMC_LISTEN) /* smc_close_non_accepted() is called and acquires @@ -496,7 +496,7 @@ static void smc_copy_sock_settings(struct sock *nsk, struct sock *osk, static void smc_copy_sock_settings_to_clc(struct smc_sock *smc) { - smc_copy_sock_settings(smc->clcsock->sk, &smc->sk, SK_FLAGS_SMC_TO_CLC); + smc_copy_sock_settings(smc->clcsock->sk, &smc->inet.sk, SK_FLAGS_SMC_TO_CLC); } #define SK_FLAGS_CLC_TO_SMC ((1UL << SOCK_URGINLINE) | \ @@ -506,7 +506,7 @@ static void smc_copy_sock_settings_to_clc(struct smc_sock *smc) /* copy only settings and flags relevant for smc from clc to smc socket */ static void smc_copy_sock_settings_to_smc(struct smc_sock *smc) { - smc_copy_sock_settings(&smc->sk, smc->clcsock->sk, SK_FLAGS_CLC_TO_SMC); + smc_copy_sock_settings(&smc->inet.sk, smc->clcsock->sk, SK_FLAGS_CLC_TO_SMC); } /* register the new vzalloced sndbuf on all links */ @@ -757,7 +757,7 @@ static void smc_stat_inc_fback_rsn_cnt(struct smc_sock *smc, static void smc_stat_fallback(struct smc_sock *smc) { - struct net *net = sock_net(&smc->sk); + struct net *net = sock_net(&smc->inet.sk); mutex_lock(&net->smc.mutex_fback_rsn); if (smc->listen_smc) { @@ -776,7 +776,7 @@ static void smc_fback_wakeup_waitqueue(struct smc_sock *smc, void *key) struct socket_wq *wq; __poll_t flags; - wq = rcu_dereference(smc->sk.sk_wq); + wq = rcu_dereference(smc->inet.sk.sk_wq); if (!skwq_has_sleeper(wq)) return; @@ -909,12 +909,12 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code) smc->fallback_rsn = reason_code; smc_stat_fallback(smc); trace_smc_switch_to_fallback(smc, reason_code); - if (smc->sk.sk_socket && smc->sk.sk_socket->file) { - smc->clcsock->file = smc->sk.sk_socket->file; + if (smc->inet.sk.sk_socket && smc->inet.sk.sk_socket->file) { + smc->clcsock->file = smc->inet.sk.sk_socket->file; smc->clcsock->file->private_data = smc->clcsock; smc->clcsock->wq.fasync_list = - smc->sk.sk_socket->wq.fasync_list; - smc->sk.sk_socket->wq.fasync_list = NULL; + smc->inet.sk.sk_socket->wq.fasync_list; + smc->inet.sk.sk_socket->wq.fasync_list = NULL; /* There might be some wait entries remaining * in smc sk->sk_wq and they should be woken up @@ -930,20 +930,20 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code) /* fall back during connect */ static int smc_connect_fallback(struct smc_sock *smc, int reason_code) { - struct net *net = sock_net(&smc->sk); + struct net *net = sock_net(&smc->inet.sk); int rc = 0; rc = smc_switch_to_fallback(smc, reason_code); if (rc) { /* fallback fails */ this_cpu_inc(net->smc.smc_stats->clnt_hshake_err_cnt); - if (smc->sk.sk_state == SMC_INIT) - sock_put(&smc->sk); /* passive closing */ + if (smc->inet.sk.sk_state == SMC_INIT) + sock_put(&smc->inet.sk); /* passive closing */ return rc; } smc_copy_sock_settings_to_clc(smc); smc->connect_nonblock = 0; - if (smc->sk.sk_state == SMC_INIT) - smc->sk.sk_state = SMC_ACTIVE; + if (smc->inet.sk.sk_state == SMC_INIT) + smc->inet.sk.sk_state = SMC_ACTIVE; return 0; } @@ -951,21 +951,21 @@ static int smc_connect_fallback(struct smc_sock *smc, int reason_code) static int smc_connect_decline_fallback(struct smc_sock *smc, int reason_code, u8 version) { - struct net *net = sock_net(&smc->sk); + struct net *net = sock_net(&smc->inet.sk); int rc; if (reason_code < 0) { /* error, fallback is not possible */ this_cpu_inc(net->smc.smc_stats->clnt_hshake_err_cnt); - if (smc->sk.sk_state == SMC_INIT) - sock_put(&smc->sk); /* passive closing */ + if (smc->inet.sk.sk_state == SMC_INIT) + sock_put(&smc->inet.sk); /* passive closing */ return reason_code; } if (reason_code != SMC_CLC_DECL_PEERDECL) { rc = smc_clc_send_decline(smc, reason_code, version); if (rc < 0) { this_cpu_inc(net->smc.smc_stats->clnt_hshake_err_cnt); - if (smc->sk.sk_state == SMC_INIT) - sock_put(&smc->sk); /* passive closing */ + if (smc->inet.sk.sk_state == SMC_INIT) + sock_put(&smc->inet.sk); /* passive closing */ return rc; } } @@ -1050,7 +1050,7 @@ static int smc_find_ism_v2_device_clnt(struct smc_sock *smc, continue; is_emulated = __smc_ism_is_emulated(chid); if (!smc_pnet_is_pnetid_set(smcd->pnetid) || - smc_pnet_is_ndev_pnetid(sock_net(&smc->sk), smcd->pnetid)) { + smc_pnet_is_ndev_pnetid(sock_net(&smc->inet.sk), smcd->pnetid)) { if (is_emulated && entry == SMCD_CLC_MAX_V2_GID_ENTRIES) /* It's the last GID-CHID entry left in CLC * Proposal SMC-Dv2 extension, but an Emulated- @@ -1200,7 +1200,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc, { struct smc_clc_first_contact_ext *fce = smc_get_clc_first_contact_ext(aclc, false); - struct net *net = sock_net(&smc->sk); + struct net *net = sock_net(&smc->inet.sk); int rc; if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1) @@ -1347,8 +1347,8 @@ static int smc_connect_rdma(struct smc_sock *smc, smc_copy_sock_settings_to_clc(smc); smc->connect_nonblock = 0; - if (smc->sk.sk_state == SMC_INIT) - smc->sk.sk_state = SMC_ACTIVE; + if (smc->inet.sk.sk_state == SMC_INIT) + smc->inet.sk.sk_state = SMC_ACTIVE; return 0; connect_abort: @@ -1450,8 +1450,8 @@ static int smc_connect_ism(struct smc_sock *smc, smc_copy_sock_settings_to_clc(smc); smc->connect_nonblock = 0; - if (smc->sk.sk_state == SMC_INIT) - smc->sk.sk_state = SMC_ACTIVE; + if (smc->inet.sk.sk_state == SMC_INIT) + smc->inet.sk.sk_state = SMC_ACTIVE; return 0; connect_abort: @@ -1546,7 +1546,7 @@ static int __smc_connect(struct smc_sock *smc) /* -EAGAIN on timeout, see tcp_recvmsg() */ if (rc == -EAGAIN) { rc = -ETIMEDOUT; - smc->sk.sk_err = ETIMEDOUT; + smc->inet.sk.sk_err = ETIMEDOUT; } goto vlan_cleanup; } @@ -1586,14 +1586,14 @@ static void smc_connect_work(struct work_struct *work) { struct smc_sock *smc = container_of(work, struct smc_sock, connect_work); - long timeo = smc->sk.sk_sndtimeo; + long timeo = smc->inet.sk.sk_sndtimeo; int rc = 0; if (!timeo) timeo = MAX_SCHEDULE_TIMEOUT; lock_sock(smc->clcsock->sk); if (smc->clcsock->sk->sk_err) { - smc->sk.sk_err = smc->clcsock->sk->sk_err; + smc->inet.sk.sk_err = smc->clcsock->sk->sk_err; } else if ((1 << smc->clcsock->sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) { rc = sk_stream_wait_connect(smc->clcsock->sk, &timeo); @@ -1603,33 +1603,33 @@ static void smc_connect_work(struct work_struct *work) rc = 0; } release_sock(smc->clcsock->sk); - lock_sock(&smc->sk); - if (rc != 0 || smc->sk.sk_err) { - smc->sk.sk_state = SMC_CLOSED; + lock_sock(&smc->inet.sk); + if (rc != 0 || smc->inet.sk.sk_err) { + smc->inet.sk.sk_state = SMC_CLOSED; if (rc == -EPIPE || rc == -EAGAIN) - smc->sk.sk_err = EPIPE; + smc->inet.sk.sk_err = EPIPE; else if (rc == -ECONNREFUSED) - smc->sk.sk_err = ECONNREFUSED; + smc->inet.sk.sk_err = ECONNREFUSED; else if (signal_pending(current)) - smc->sk.sk_err = -sock_intr_errno(timeo); - sock_put(&smc->sk); /* passive closing */ + smc->inet.sk.sk_err = -sock_intr_errno(timeo); + sock_put(&smc->inet.sk); /* passive closing */ goto out; } rc = __smc_connect(smc); if (rc < 0) - smc->sk.sk_err = -rc; + smc->inet.sk.sk_err = -rc; out: - if (!sock_flag(&smc->sk, SOCK_DEAD)) { - if (smc->sk.sk_err) { - smc->sk.sk_state_change(&smc->sk); + if (!sock_flag(&smc->inet.sk, SOCK_DEAD)) { + if (smc->inet.sk.sk_err) { + smc->inet.sk.sk_state_change(&smc->inet.sk); } else { /* allow polling before and after fallback decision */ smc->clcsock->sk->sk_write_space(smc->clcsock->sk); - smc->sk.sk_write_space(&smc->sk); + smc->inet.sk.sk_write_space(&smc->inet.sk); } } - release_sock(&smc->sk); + release_sock(&smc->inet.sk); } int smc_connect(struct socket *sock, struct sockaddr *addr, @@ -1692,7 +1692,7 @@ int smc_connect(struct socket *sock, struct sockaddr *addr, sock->state = rc ? SS_CONNECTING : SS_CONNECTED; goto out; } - sock_hold(&smc->sk); /* sock put in passive closing */ + sock_hold(&smc->inet.sk); /* sock put in passive closing */ if (flags & O_NONBLOCK) { if (queue_work(smc_hs_wq, &smc->connect_work)) smc->connect_nonblock = 1; @@ -1716,7 +1716,7 @@ int smc_connect(struct socket *sock, struct sockaddr *addr, static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc) { struct socket *new_clcsock = NULL; - struct sock *lsk = &lsmc->sk; + struct sock *lsk = &lsmc->inet.sk; struct sock *new_sk; int rc = -EINVAL; @@ -1793,7 +1793,7 @@ static void smc_accept_unlink(struct sock *sk) spin_lock(&par->accept_q_lock); list_del_init(&smc_sk(sk)->accept_q); spin_unlock(&par->accept_q_lock); - sk_acceptq_removed(&smc_sk(sk)->listen_smc->sk); + sk_acceptq_removed(&smc_sk(sk)->listen_smc->inet.sk); sock_put(sk); /* sock_hold in smc_accept_enqueue */ } @@ -1904,28 +1904,28 @@ static int smcr_serv_conf_first_link(struct smc_sock *smc) static void smc_listen_out(struct smc_sock *new_smc) { struct smc_sock *lsmc = new_smc->listen_smc; - struct sock *newsmcsk = &new_smc->sk; + struct sock *newsmcsk = &new_smc->inet.sk; if (tcp_sk(new_smc->clcsock->sk)->syn_smc) atomic_dec(&lsmc->queued_smc_hs); - if (lsmc->sk.sk_state == SMC_LISTEN) { - lock_sock_nested(&lsmc->sk, SINGLE_DEPTH_NESTING); - smc_accept_enqueue(&lsmc->sk, newsmcsk); - release_sock(&lsmc->sk); + if (lsmc->inet.sk.sk_state == SMC_LISTEN) { + lock_sock_nested(&lsmc->inet.sk, SINGLE_DEPTH_NESTING); + smc_accept_enqueue(&lsmc->inet.sk, newsmcsk); + release_sock(&lsmc->inet.sk); } else { /* no longer listening */ smc_close_non_accepted(newsmcsk); } /* Wake up accept */ - lsmc->sk.sk_data_ready(&lsmc->sk); - sock_put(&lsmc->sk); /* sock_hold in smc_tcp_listen_work */ + lsmc->inet.sk.sk_data_ready(&lsmc->inet.sk); + sock_put(&lsmc->inet.sk); /* sock_hold in smc_tcp_listen_work */ } /* listen worker: finish in state connected */ static void smc_listen_out_connected(struct smc_sock *new_smc) { - struct sock *newsmcsk = &new_smc->sk; + struct sock *newsmcsk = &new_smc->inet.sk; if (newsmcsk->sk_state == SMC_INIT) newsmcsk->sk_state = SMC_ACTIVE; @@ -1936,12 +1936,12 @@ static void smc_listen_out_connected(struct smc_sock *new_smc) /* listen worker: finish in error state */ static void smc_listen_out_err(struct smc_sock *new_smc) { - struct sock *newsmcsk = &new_smc->sk; + struct sock *newsmcsk = &new_smc->inet.sk; struct net *net = sock_net(newsmcsk); this_cpu_inc(net->smc.smc_stats->srv_hshake_err_cnt); if (newsmcsk->sk_state == SMC_INIT) - sock_put(&new_smc->sk); /* passive closing */ + sock_put(&new_smc->inet.sk); /* passive closing */ newsmcsk->sk_state = SMC_CLOSED; smc_listen_out(new_smc); @@ -2430,7 +2430,7 @@ static void smc_listen_work(struct work_struct *work) u8 accept_version; int rc = 0; - if (new_smc->listen_smc->sk.sk_state != SMC_LISTEN) + if (new_smc->listen_smc->inet.sk.sk_state != SMC_LISTEN) return smc_listen_out_err(new_smc); if (new_smc->use_fallback) { @@ -2565,7 +2565,7 @@ static void smc_tcp_listen_work(struct work_struct *work) { struct smc_sock *lsmc = container_of(work, struct smc_sock, tcp_listen_work); - struct sock *lsk = &lsmc->sk; + struct sock *lsk = &lsmc->inet.sk; struct smc_sock *new_smc; int rc = 0; @@ -2586,14 +2586,14 @@ static void smc_tcp_listen_work(struct work_struct *work) sock_hold(lsk); /* sock_put in smc_listen_work */ INIT_WORK(&new_smc->smc_listen_work, smc_listen_work); smc_copy_sock_settings_to_smc(new_smc); - sock_hold(&new_smc->sk); /* sock_put in passive closing */ + sock_hold(&new_smc->inet.sk); /* sock_put in passive closing */ if (!queue_work(smc_hs_wq, &new_smc->smc_listen_work)) - sock_put(&new_smc->sk); + sock_put(&new_smc->inet.sk); } out: release_sock(lsk); - sock_put(&lsmc->sk); /* sock_hold in smc_clcsock_data_ready() */ + sock_put(&lsmc->inet.sk); /* sock_hold in smc_clcsock_data_ready() */ } static void smc_clcsock_data_ready(struct sock *listen_clcsock) @@ -2605,10 +2605,10 @@ static void smc_clcsock_data_ready(struct sock *listen_clcsock) if (!lsmc) goto out; lsmc->clcsk_data_ready(listen_clcsock); - if (lsmc->sk.sk_state == SMC_LISTEN) { - sock_hold(&lsmc->sk); /* sock_put in smc_tcp_listen_work() */ + if (lsmc->inet.sk.sk_state == SMC_LISTEN) { + sock_hold(&lsmc->inet.sk); /* sock_put in smc_tcp_listen_work() */ if (!queue_work(smc_tcp_ls_wq, &lsmc->tcp_listen_work)) - sock_put(&lsmc->sk); + sock_put(&lsmc->inet.sk); } out: read_unlock_bh(&listen_clcsock->sk_callback_lock); @@ -2692,7 +2692,7 @@ int smc_accept(struct socket *sock, struct socket *new_sock, sock_hold(sk); /* sock_put below */ lock_sock(sk); - if (lsmc->sk.sk_state != SMC_LISTEN) { + if (lsmc->inet.sk.sk_state != SMC_LISTEN) { rc = -EINVAL; release_sock(sk); goto out; @@ -3167,36 +3167,36 @@ int smc_ioctl(struct socket *sock, unsigned int cmd, smc = smc_sk(sock->sk); conn = &smc->conn; - lock_sock(&smc->sk); + lock_sock(&smc->inet.sk); if (smc->use_fallback) { if (!smc->clcsock) { - release_sock(&smc->sk); + release_sock(&smc->inet.sk); return -EBADF; } answ = smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg); - release_sock(&smc->sk); + release_sock(&smc->inet.sk); return answ; } switch (cmd) { case SIOCINQ: /* same as FIONREAD */ - if (smc->sk.sk_state == SMC_LISTEN) { - release_sock(&smc->sk); + if (smc->inet.sk.sk_state == SMC_LISTEN) { + release_sock(&smc->inet.sk); return -EINVAL; } - if (smc->sk.sk_state == SMC_INIT || - smc->sk.sk_state == SMC_CLOSED) + if (smc->inet.sk.sk_state == SMC_INIT || + smc->inet.sk.sk_state == SMC_CLOSED) answ = 0; else answ = atomic_read(&smc->conn.bytes_to_rcv); break; case SIOCOUTQ: /* output queue size (not send + not acked) */ - if (smc->sk.sk_state == SMC_LISTEN) { - release_sock(&smc->sk); + if (smc->inet.sk.sk_state == SMC_LISTEN) { + release_sock(&smc->inet.sk); return -EINVAL; } - if (smc->sk.sk_state == SMC_INIT || - smc->sk.sk_state == SMC_CLOSED) + if (smc->inet.sk.sk_state == SMC_INIT || + smc->inet.sk.sk_state == SMC_CLOSED) answ = 0; else answ = smc->conn.sndbuf_desc->len - @@ -3204,23 +3204,23 @@ int smc_ioctl(struct socket *sock, unsigned int cmd, break; case SIOCOUTQNSD: /* output queue size (not send only) */ - if (smc->sk.sk_state == SMC_LISTEN) { - release_sock(&smc->sk); + if (smc->inet.sk.sk_state == SMC_LISTEN) { + release_sock(&smc->inet.sk); return -EINVAL; } - if (smc->sk.sk_state == SMC_INIT || - smc->sk.sk_state == SMC_CLOSED) + if (smc->inet.sk.sk_state == SMC_INIT || + smc->inet.sk.sk_state == SMC_CLOSED) answ = 0; else answ = smc_tx_prepared_sends(&smc->conn); break; case SIOCATMARK: - if (smc->sk.sk_state == SMC_LISTEN) { - release_sock(&smc->sk); + if (smc->inet.sk.sk_state == SMC_LISTEN) { + release_sock(&smc->inet.sk); return -EINVAL; } - if (smc->sk.sk_state == SMC_INIT || - smc->sk.sk_state == SMC_CLOSED) { + if (smc->inet.sk.sk_state == SMC_INIT || + smc->inet.sk.sk_state == SMC_CLOSED) { answ = 0; } else { smc_curs_copy(&cons, &conn->local_tx_ctrl.cons, conn); @@ -3230,10 +3230,10 @@ int smc_ioctl(struct socket *sock, unsigned int cmd, } break; default: - release_sock(&smc->sk); + release_sock(&smc->inet.sk); return -ENOIOCTLCMD; } - release_sock(&smc->sk); + release_sock(&smc->inet.sk); return put_user(answ, (int __user *)arg); } @@ -3324,7 +3324,7 @@ int smc_create_clcsk(struct net *net, struct sock *sk, int family) /* smc_clcsock_release() does not wait smc->clcsock->sk's * destruction; its sk_state might not be TCP_CLOSE after - * smc->sk is close()d, and TCP timers can be fired later, + * smc->inet.sk is close()d, and TCP timers can be fired later, * which need net ref. */ sk = smc->clcsock->sk; diff --git a/net/smc/smc.h b/net/smc/smc.h index ad77d6b6b8d3..1caea41f04e9 100644 --- a/net/smc/smc.h +++ b/net/smc/smc.h @@ -283,10 +283,7 @@ struct smc_connection { }; struct smc_sock { /* smc sock container */ - struct sock sk; -#if IS_ENABLED(CONFIG_IPV6) - struct ipv6_pinfo *pinet6; -#endif + struct inet_sock inet; struct socket *clcsock; /* internal tcp socket */ void (*clcsk_state_change)(struct sock *sk); /* original stat_change fct. */ @@ -330,7 +327,7 @@ struct smc_sock { /* smc sock container */ * */ }; -#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, sk) +#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, inet.sk) static inline void smc_init_saved_callbacks(struct smc_sock *smc) { diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c index 619b3bab3824..45d81c87b398 100644 --- a/net/smc/smc_cdc.c +++ b/net/smc/smc_cdc.c @@ -35,7 +35,7 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd, sndbuf_desc = conn->sndbuf_desc; smc = container_of(conn, struct smc_sock, conn); - bh_lock_sock(&smc->sk); + bh_lock_sock(&smc->inet.sk); if (!wc_status && sndbuf_desc) { diff = smc_curs_diff(sndbuf_desc->len, &cdcpend->conn->tx_curs_fin, @@ -56,7 +56,7 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd, * User context will later try to send when it release sock_lock * in smc_release_cb() */ - if (sock_owned_by_user(&smc->sk)) + if (sock_owned_by_user(&smc->inet.sk)) conn->tx_in_release_sock = true; else smc_tx_pending(conn); @@ -67,7 +67,7 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd, WARN_ON(atomic_read(&conn->cdc_pend_tx_wr) < 0); smc_tx_sndbuf_nonfull(smc); - bh_unlock_sock(&smc->sk); + bh_unlock_sock(&smc->inet.sk); } int smc_cdc_get_free_slot(struct smc_connection *conn, @@ -294,7 +294,7 @@ static void smc_cdc_handle_urg_data_arrival(struct smc_sock *smc, /* new data included urgent business */ smc_curs_copy(&conn->urg_curs, &conn->local_rx_ctrl.prod, conn); conn->urg_state = SMC_URG_VALID; - if (!sock_flag(&smc->sk, SOCK_URGINLINE)) + if (!sock_flag(&smc->inet.sk, SOCK_URGINLINE)) /* we'll skip the urgent byte, so don't account for it */ (*diff_prod)--; base = (char *)conn->rmb_desc->cpu_addr + conn->rx_off; @@ -302,7 +302,7 @@ static void smc_cdc_handle_urg_data_arrival(struct smc_sock *smc, conn->urg_rx_byte = *(base + conn->urg_curs.count - 1); else conn->urg_rx_byte = *(base + conn->rmb_desc->len - 1); - sk_send_sigurg(&smc->sk); + sk_send_sigurg(&smc->inet.sk); } static void smc_cdc_msg_validate(struct smc_sock *smc, struct smc_cdc_msg *cdc, @@ -321,9 +321,9 @@ static void smc_cdc_msg_validate(struct smc_sock *smc, struct smc_cdc_msg *cdc, conn->local_tx_ctrl.conn_state_flags.peer_conn_abort = 1; conn->lnk = link; spin_unlock_bh(&conn->send_lock); - sock_hold(&smc->sk); /* sock_put in abort_work */ + sock_hold(&smc->inet.sk); /* sock_put in abort_work */ if (!queue_work(smc_close_wq, &conn->abort_work)) - sock_put(&smc->sk); + sock_put(&smc->inet.sk); } } @@ -383,10 +383,10 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc, atomic_add(diff_prod, &conn->bytes_to_rcv); /* guarantee 0 <= bytes_to_rcv <= rmb_desc->len */ smp_mb__after_atomic(); - smc->sk.sk_data_ready(&smc->sk); + smc->inet.sk.sk_data_ready(&smc->inet.sk); } else { if (conn->local_rx_ctrl.prod_flags.write_blocked) - smc->sk.sk_data_ready(&smc->sk); + smc->inet.sk.sk_data_ready(&smc->inet.sk); if (conn->local_rx_ctrl.prod_flags.urg_data_pending) conn->urg_state = SMC_URG_NOTYET; } @@ -395,7 +395,7 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc, if ((diff_cons && smc_tx_prepared_sends(conn)) || conn->local_rx_ctrl.prod_flags.cons_curs_upd_req || conn->local_rx_ctrl.prod_flags.urg_data_pending) { - if (!sock_owned_by_user(&smc->sk)) + if (!sock_owned_by_user(&smc->inet.sk)) smc_tx_pending(conn); else conn->tx_in_release_sock = true; @@ -405,32 +405,32 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc, atomic_read(&conn->peer_rmbe_space) == conn->peer_rmbe_size) { /* urg data confirmed by peer, indicate we're ready for more */ conn->urg_tx_pend = false; - smc->sk.sk_write_space(&smc->sk); + smc->inet.sk.sk_write_space(&smc->inet.sk); } if (conn->local_rx_ctrl.conn_state_flags.peer_conn_abort) { - smc->sk.sk_err = ECONNRESET; + smc->inet.sk.sk_err = ECONNRESET; conn->local_tx_ctrl.conn_state_flags.peer_conn_abort = 1; } if (smc_cdc_rxed_any_close_or_senddone(conn)) { - smc->sk.sk_shutdown |= RCV_SHUTDOWN; + smc->inet.sk.sk_shutdown |= RCV_SHUTDOWN; if (smc->clcsock && smc->clcsock->sk) smc->clcsock->sk->sk_shutdown |= RCV_SHUTDOWN; - smc_sock_set_flag(&smc->sk, SOCK_DONE); - sock_hold(&smc->sk); /* sock_put in close_work */ + smc_sock_set_flag(&smc->inet.sk, SOCK_DONE); + sock_hold(&smc->inet.sk); /* sock_put in close_work */ if (!queue_work(smc_close_wq, &conn->close_work)) - sock_put(&smc->sk); + sock_put(&smc->inet.sk); } } /* called under tasklet context */ static void smc_cdc_msg_recv(struct smc_sock *smc, struct smc_cdc_msg *cdc) { - sock_hold(&smc->sk); - bh_lock_sock(&smc->sk); + sock_hold(&smc->inet.sk); + bh_lock_sock(&smc->inet.sk); smc_cdc_msg_recv_action(smc, cdc); - bh_unlock_sock(&smc->sk); - sock_put(&smc->sk); /* no free sk in softirq-context */ + bh_unlock_sock(&smc->inet.sk); + sock_put(&smc->inet.sk); /* no free sk in softirq-context */ } /* Schedule a tasklet for this connection. Triggered from the ISM device IRQ diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c index 33fa787c28eb..c08ebc55f2ad 100644 --- a/net/smc/smc_clc.c +++ b/net/smc/smc_clc.c @@ -704,7 +704,7 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, if (signal_pending(current)) { reason_code = -EINTR; clc_sk->sk_err = EINTR; - smc->sk.sk_err = EINTR; + smc->inet.sk.sk_err = EINTR; goto out; } if (clc_sk->sk_err) { @@ -713,17 +713,17 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, expected_type == SMC_CLC_DECLINE) clc_sk->sk_err = 0; /* reset for fallback usage */ else - smc->sk.sk_err = clc_sk->sk_err; + smc->inet.sk.sk_err = clc_sk->sk_err; goto out; } if (!len) { /* peer has performed orderly shutdown */ - smc->sk.sk_err = ECONNRESET; + smc->inet.sk.sk_err = ECONNRESET; reason_code = -ECONNRESET; goto out; } if (len < 0) { if (len != -EAGAIN || expected_type != SMC_CLC_DECLINE) - smc->sk.sk_err = -len; + smc->inet.sk.sk_err = -len; reason_code = len; goto out; } @@ -732,7 +732,7 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, (clcm->version < SMC_V1) || ((clcm->type != SMC_CLC_DECLINE) && (clcm->type != expected_type))) { - smc->sk.sk_err = EPROTO; + smc->inet.sk.sk_err = EPROTO; reason_code = -EPROTO; goto out; } @@ -749,7 +749,7 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, krflags = MSG_WAITALL; len = sock_recvmsg(smc->clcsock, &msg, krflags); if (len < recvlen || !smc_clc_msg_hdr_valid(clcm, check_trl)) { - smc->sk.sk_err = EPROTO; + smc->inet.sk.sk_err = EPROTO; reason_code = -EPROTO; goto out; } @@ -835,7 +835,7 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini) struct smc_clc_smcd_gid_chid *gidchids; struct smc_clc_msg_proposal_area *pclc; struct smc_clc_ipv6_prefix *ipv6_prfx; - struct net *net = sock_net(&smc->sk); + struct net *net = sock_net(&smc->inet.sk); struct smc_clc_v2_extension *v2_ext; struct smc_clc_msg_smcd *pclc_smcd; struct smc_clc_msg_trail *trl; @@ -1015,11 +1015,11 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini) /* due to the few bytes needed for clc-handshake this cannot block */ len = kernel_sendmsg(smc->clcsock, &msg, vec, i, plen); if (len < 0) { - smc->sk.sk_err = smc->clcsock->sk->sk_err; - reason_code = -smc->sk.sk_err; + smc->inet.sk.sk_err = smc->clcsock->sk->sk_err; + reason_code = -smc->inet.sk.sk_err; } else if (len < ntohs(pclc_base->hdr.length)) { reason_code = -ENETUNREACH; - smc->sk.sk_err = -reason_code; + smc->inet.sk.sk_err = -reason_code; } kfree(pclc); @@ -1208,10 +1208,10 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact, if (len < ntohs(cclc.hdr.length)) { if (len >= 0) { reason_code = -ENETUNREACH; - smc->sk.sk_err = -reason_code; + smc->inet.sk.sk_err = -reason_code; } else { - smc->sk.sk_err = smc->clcsock->sk->sk_err; - reason_code = -smc->sk.sk_err; + smc->inet.sk.sk_err = smc->clcsock->sk->sk_err; + reason_code = -smc->inet.sk.sk_err; } } return reason_code; @@ -1239,7 +1239,7 @@ int smc_clc_srv_v2x_features_validate(struct smc_sock *smc, struct smc_init_info *ini) { struct smc_clc_v2_extension *pclc_v2_ext; - struct net *net = sock_net(&smc->sk); + struct net *net = sock_net(&smc->inet.sk); ini->max_conns = SMC_CONN_PER_LGR_MAX; ini->max_links = SMC_LINKS_ADD_LNK_MAX; diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c index 10219f55aad1..74020e9eba1b 100644 --- a/net/smc/smc_close.c +++ b/net/smc/smc_close.c @@ -49,7 +49,7 @@ static void smc_close_cleanup_listen(struct sock *parent) static void smc_close_stream_wait(struct smc_sock *smc, long timeout) { DEFINE_WAIT_FUNC(wait, woken_wake_function); - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; if (!timeout) return; @@ -82,7 +82,7 @@ void smc_close_wake_tx_prepared(struct smc_sock *smc) { if (smc->wait_close_tx_prepared) /* wake up socket closing */ - smc->sk.sk_state_change(&smc->sk); + smc->inet.sk.sk_state_change(&smc->inet.sk); } static int smc_close_wr(struct smc_connection *conn) @@ -113,7 +113,7 @@ int smc_close_abort(struct smc_connection *conn) static void smc_close_cancel_work(struct smc_sock *smc) { - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; release_sock(sk); if (cancel_work_sync(&smc->conn.close_work)) @@ -127,7 +127,7 @@ static void smc_close_cancel_work(struct smc_sock *smc) */ void smc_close_active_abort(struct smc_sock *smc) { - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; bool release_clcsock = false; if (sk->sk_state != SMC_INIT && smc->clcsock && smc->clcsock->sk) { @@ -195,7 +195,7 @@ int smc_close_active(struct smc_sock *smc) struct smc_cdc_conn_state_flags *txflags = &smc->conn.local_tx_ctrl.conn_state_flags; struct smc_connection *conn = &smc->conn; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; int old_state; long timeout; int rc = 0; @@ -313,7 +313,7 @@ static void smc_close_passive_abort_received(struct smc_sock *smc) { struct smc_cdc_conn_state_flags *txflags = &smc->conn.local_tx_ctrl.conn_state_flags; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; switch (sk->sk_state) { case SMC_INIT: @@ -361,7 +361,7 @@ static void smc_close_passive_work(struct work_struct *work) struct smc_sock *smc = container_of(conn, struct smc_sock, conn); struct smc_cdc_conn_state_flags *rxflags; bool release_clcsock = false; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; int old_state; lock_sock(sk); @@ -447,7 +447,7 @@ static void smc_close_passive_work(struct work_struct *work) int smc_close_shutdown_write(struct smc_sock *smc) { struct smc_connection *conn = &smc->conn; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; int old_state; long timeout; int rc = 0; diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c index 3b95828d9976..86430ab7c0ef 100644 --- a/net/smc/smc_core.c +++ b/net/smc/smc_core.c @@ -180,7 +180,7 @@ static int smc_lgr_register_conn(struct smc_connection *conn, bool first) /* find a new alert_token_local value not yet used by some connection * in this link group */ - sock_hold(&smc->sk); /* sock_put in smc_lgr_unregister_conn() */ + sock_hold(&smc->inet.sk); /* sock_put in smc_lgr_unregister_conn() */ while (!conn->alert_token_local) { conn->alert_token_local = atomic_inc_return(&nexttoken); if (smc_lgr_find_conn(conn->alert_token_local, conn->lgr)) @@ -203,7 +203,7 @@ static void __smc_lgr_unregister_conn(struct smc_connection *conn) atomic_dec(&conn->lnk->conn_cnt); lgr->conns_num--; conn->alert_token_local = 0; - sock_put(&smc->sk); /* sock_hold in smc_lgr_register_conn() */ + sock_put(&smc->inet.sk); /* sock_hold in smc_lgr_register_conn() */ } /* Unregister connection from lgr @@ -1010,12 +1010,12 @@ static int smc_switch_cursor(struct smc_sock *smc, struct smc_cdc_tx_pend *pend, /* recalculate, value is used by tx_rdma_writes() */ atomic_set(&smc->conn.peer_rmbe_space, smc_write_space(conn)); - if (smc->sk.sk_state != SMC_INIT && - smc->sk.sk_state != SMC_CLOSED) { + if (smc->inet.sk.sk_state != SMC_INIT && + smc->inet.sk.sk_state != SMC_CLOSED) { rc = smcr_cdc_msg_send_validation(conn, pend, wr_buf); if (!rc) { queue_delayed_work(conn->lgr->tx_wq, &conn->tx_work, 0); - smc->sk.sk_data_ready(&smc->sk); + smc->inet.sk.sk_data_ready(&smc->inet.sk); } } else { smc_wr_tx_put_slot(conn->lnk, @@ -1072,23 +1072,23 @@ struct smc_link *smc_switch_conns(struct smc_link_group *lgr, continue; smc = container_of(conn, struct smc_sock, conn); /* conn->lnk not yet set in SMC_INIT state */ - if (smc->sk.sk_state == SMC_INIT) + if (smc->inet.sk.sk_state == SMC_INIT) continue; - if (smc->sk.sk_state == SMC_CLOSED || - smc->sk.sk_state == SMC_PEERCLOSEWAIT1 || - smc->sk.sk_state == SMC_PEERCLOSEWAIT2 || - smc->sk.sk_state == SMC_APPFINCLOSEWAIT || - smc->sk.sk_state == SMC_APPCLOSEWAIT1 || - smc->sk.sk_state == SMC_APPCLOSEWAIT2 || - smc->sk.sk_state == SMC_PEERFINCLOSEWAIT || - smc->sk.sk_state == SMC_PEERABORTWAIT || - smc->sk.sk_state == SMC_PROCESSABORT) { + if (smc->inet.sk.sk_state == SMC_CLOSED || + smc->inet.sk.sk_state == SMC_PEERCLOSEWAIT1 || + smc->inet.sk.sk_state == SMC_PEERCLOSEWAIT2 || + smc->inet.sk.sk_state == SMC_APPFINCLOSEWAIT || + smc->inet.sk.sk_state == SMC_APPCLOSEWAIT1 || + smc->inet.sk.sk_state == SMC_APPCLOSEWAIT2 || + smc->inet.sk.sk_state == SMC_PEERFINCLOSEWAIT || + smc->inet.sk.sk_state == SMC_PEERABORTWAIT || + smc->inet.sk.sk_state == SMC_PROCESSABORT) { spin_lock_bh(&conn->send_lock); smc_switch_link_and_count(conn, to_lnk); spin_unlock_bh(&conn->send_lock); continue; } - sock_hold(&smc->sk); + sock_hold(&smc->inet.sk); read_unlock_bh(&lgr->conns_lock); /* pre-fetch buffer outside of send_lock, might sleep */ rc = smc_cdc_get_free_slot(conn, to_lnk, &wr_buf, NULL, &pend); @@ -1099,7 +1099,7 @@ struct smc_link *smc_switch_conns(struct smc_link_group *lgr, smc_switch_link_and_count(conn, to_lnk); rc = smc_switch_cursor(smc, pend, wr_buf); spin_unlock_bh(&conn->send_lock); - sock_put(&smc->sk); + sock_put(&smc->inet.sk); if (rc) goto err_out; goto again; @@ -1442,9 +1442,9 @@ void smc_lgr_put(struct smc_link_group *lgr) static void smc_sk_wake_ups(struct smc_sock *smc) { - smc->sk.sk_write_space(&smc->sk); - smc->sk.sk_data_ready(&smc->sk); - smc->sk.sk_state_change(&smc->sk); + smc->inet.sk.sk_write_space(&smc->inet.sk); + smc->inet.sk.sk_data_ready(&smc->inet.sk); + smc->inet.sk.sk_state_change(&smc->inet.sk); } /* kill a connection */ @@ -1457,7 +1457,7 @@ static void smc_conn_kill(struct smc_connection *conn, bool soft) else smc_close_abort(conn); conn->killed = 1; - smc->sk.sk_err = ECONNABORTED; + smc->inet.sk.sk_err = ECONNABORTED; smc_sk_wake_ups(smc); if (conn->lgr->is_smcd) { smc_ism_unset_conn(conn); @@ -1511,11 +1511,11 @@ static void __smc_lgr_terminate(struct smc_link_group *lgr, bool soft) read_unlock_bh(&lgr->conns_lock); conn = rb_entry(node, struct smc_connection, alert_node); smc = container_of(conn, struct smc_sock, conn); - sock_hold(&smc->sk); /* sock_put below */ - lock_sock(&smc->sk); + sock_hold(&smc->inet.sk); /* sock_put below */ + lock_sock(&smc->inet.sk); smc_conn_kill(conn, soft); - release_sock(&smc->sk); - sock_put(&smc->sk); /* sock_hold above */ + release_sock(&smc->inet.sk); + sock_put(&smc->inet.sk); /* sock_hold above */ read_lock_bh(&lgr->conns_lock); node = rb_first(&lgr->conns_all); } @@ -1684,10 +1684,10 @@ static void smc_conn_abort_work(struct work_struct *work) abort_work); struct smc_sock *smc = container_of(conn, struct smc_sock, conn); - lock_sock(&smc->sk); + lock_sock(&smc->inet.sk); smc_conn_kill(conn, true); - release_sock(&smc->sk); - sock_put(&smc->sk); /* sock_hold done by schedulers of abort_work */ + release_sock(&smc->inet.sk); + sock_put(&smc->inet.sk); /* sock_hold done by schedulers of abort_work */ } void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport) @@ -1910,7 +1910,7 @@ static bool smcd_lgr_match(struct smc_link_group *lgr, int smc_conn_create(struct smc_sock *smc, struct smc_init_info *ini) { struct smc_connection *conn = &smc->conn; - struct net *net = sock_net(&smc->sk); + struct net *net = sock_net(&smc->inet.sk); struct list_head *lgr_list; struct smc_link_group *lgr; enum smc_lgr_role role; @@ -2370,10 +2370,10 @@ static int __smc_buf_create(struct smc_sock *smc, bool is_smcd, bool is_rmb) if (is_rmb) /* use socket recv buffer size (w/o overhead) as start value */ - bufsize = smc->sk.sk_rcvbuf / 2; + bufsize = smc->inet.sk.sk_rcvbuf / 2; else /* use socket send buffer size (w/o overhead) as start value */ - bufsize = smc->sk.sk_sndbuf / 2; + bufsize = smc->inet.sk.sk_sndbuf / 2; for (bufsize_comp = smc_compress_bufsize(bufsize, is_smcd, is_rmb); bufsize_comp >= 0; bufsize_comp--) { @@ -2432,7 +2432,7 @@ static int __smc_buf_create(struct smc_sock *smc, bool is_smcd, bool is_rmb) if (is_rmb) { conn->rmb_desc = buf_desc; conn->rmbe_size_comp = bufsize_comp; - smc->sk.sk_rcvbuf = bufsize * 2; + smc->inet.sk.sk_rcvbuf = bufsize * 2; atomic_set(&conn->bytes_to_rcv, 0); conn->rmbe_update_limit = smc_rmb_wnd_update_limit(buf_desc->len); @@ -2440,7 +2440,7 @@ static int __smc_buf_create(struct smc_sock *smc, bool is_smcd, bool is_rmb) smc_ism_set_conn(conn); /* map RMB/smcd_dev to conn */ } else { conn->sndbuf_desc = buf_desc; - smc->sk.sk_sndbuf = bufsize * 2; + smc->inet.sk.sk_sndbuf = bufsize * 2; atomic_set(&conn->sndbuf_space, bufsize); } return 0; @@ -2525,7 +2525,7 @@ int smcd_buf_attach(struct smc_sock *smc) if (rc) goto free; - smc->sk.sk_sndbuf = buf_desc->len; + smc->inet.sk.sk_sndbuf = buf_desc->len; buf_desc->cpu_addr = (u8 *)buf_desc->cpu_addr + sizeof(struct smcd_cdc_msg); buf_desc->len -= sizeof(struct smcd_cdc_msg); diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c index f0cbe77a80b4..f713d3180d67 100644 --- a/net/smc/smc_rx.c +++ b/net/smc/smc_rx.c @@ -60,7 +60,7 @@ static int smc_rx_update_consumer(struct smc_sock *smc, union smc_host_cursor cons, size_t len) { struct smc_connection *conn = &smc->conn; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; bool force = false; int diff, rc = 0; @@ -117,7 +117,7 @@ static void smc_rx_pipe_buf_release(struct pipe_inode_info *pipe, struct smc_spd_priv *priv = (struct smc_spd_priv *)buf->private; struct smc_sock *smc = priv->smc; struct smc_connection *conn; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; if (sk->sk_state == SMC_CLOSED || sk->sk_state == SMC_PEERFINCLOSEWAIT || @@ -211,7 +211,7 @@ static int smc_rx_splice(struct pipe_inode_info *pipe, char *src, size_t len, bytes = splice_to_pipe(pipe, &spd); if (bytes > 0) { - sock_hold(&smc->sk); + sock_hold(&smc->inet.sk); if (!lgr->is_smcd && smc->conn.rmb_desc->is_vm) { for (i = 0; i < PAGE_ALIGN(bytes + offset) / PAGE_SIZE; i++) get_page(pages[i]); @@ -259,7 +259,7 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo, struct smc_connection *conn = &smc->conn; struct smc_cdc_conn_state_flags *cflags = &conn->local_tx_ctrl.conn_state_flags; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; int rc; if (fcrit(conn)) @@ -283,7 +283,7 @@ static int smc_rx_recv_urg(struct smc_sock *smc, struct msghdr *msg, int len, { struct smc_connection *conn = &smc->conn; union smc_host_cursor cons; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; int rc = 0; if (sock_flag(sk, SOCK_URGINLINE) || @@ -360,7 +360,7 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, if (unlikely(flags & MSG_ERRQUEUE)) return -EINVAL; /* future work for sk.sk_family == AF_SMC */ - sk = &smc->sk; + sk = &smc->inet.sk; if (sk->sk_state == SMC_LISTEN) return -ENOTCONN; if (flags & MSG_OOB) @@ -449,7 +449,7 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, if (splbytes) smc_curs_add(conn->rmb_desc->len, &cons, splbytes); if (conn->urg_state == SMC_URG_VALID && - sock_flag(&smc->sk, SOCK_URGINLINE) && + sock_flag(&smc->inet.sk, SOCK_URGINLINE) && readable > 1) readable--; /* always stop at urgent Byte */ /* not more than what user space asked for */ @@ -509,7 +509,7 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, /* Initialize receive properties on connection establishment. NB: not __init! */ void smc_rx_init(struct smc_sock *smc) { - smc->sk.sk_data_ready = smc_rx_wake_up; + smc->inet.sk.sk_data_ready = smc_rx_wake_up; atomic_set(&smc->conn.splice_pending, 0); smc->conn.urg_state = SMC_URG_READ; } diff --git a/net/smc/smc_stats.h b/net/smc/smc_stats.h index e19177ce4092..baaac41a8974 100644 --- a/net/smc/smc_stats.h +++ b/net/smc/smc_stats.h @@ -108,7 +108,7 @@ while (0) #define SMC_STAT_TX_PAYLOAD(_smc, length, rcode) \ do { \ typeof(_smc) __smc = _smc; \ - struct net *_net = sock_net(&__smc->sk); \ + struct net *_net = sock_net(&__smc->inet.sk); \ struct smc_stats __percpu *_smc_stats = _net->smc.smc_stats; \ typeof(length) _len = (length); \ typeof(rcode) _rc = (rcode); \ @@ -123,7 +123,7 @@ while (0) #define SMC_STAT_RX_PAYLOAD(_smc, length, rcode) \ do { \ typeof(_smc) __smc = _smc; \ - struct net *_net = sock_net(&__smc->sk); \ + struct net *_net = sock_net(&__smc->inet.sk); \ struct smc_stats __percpu *_smc_stats = _net->smc.smc_stats; \ typeof(length) _len = (length); \ typeof(rcode) _rc = (rcode); \ @@ -154,7 +154,7 @@ while (0) #define SMC_STAT_RMB_SIZE(_smc, _is_smcd, _is_rx, _len) \ do { \ - struct net *_net = sock_net(&(_smc)->sk); \ + struct net *_net = sock_net(&(_smc)->inet.sk); \ struct smc_stats __percpu *_smc_stats = _net->smc.smc_stats; \ typeof(_is_smcd) is_d = (_is_smcd); \ typeof(_is_rx) is_r = (_is_rx); \ @@ -172,7 +172,7 @@ while (0) #define SMC_STAT_RMB(_smc, type, _is_smcd, _is_rx) \ do { \ - struct net *net = sock_net(&(_smc)->sk); \ + struct net *net = sock_net(&(_smc)->inet.sk); \ struct smc_stats __percpu *_smc_stats = net->smc.smc_stats; \ typeof(_is_smcd) is_d = (_is_smcd); \ typeof(_is_rx) is_r = (_is_rx); \ @@ -218,7 +218,7 @@ while (0) do { \ typeof(_smc) __smc = _smc; \ bool is_smcd = !(__smc)->conn.lnk; \ - struct net *net = sock_net(&(__smc)->sk); \ + struct net *net = sock_net(&(__smc)->inet.sk); \ struct smc_stats __percpu *smc_stats = net->smc.smc_stats; \ if ((is_smcd)) \ this_cpu_inc(smc_stats->smc[SMC_TYPE_D].type); \ diff --git a/net/smc/smc_tracepoint.h b/net/smc/smc_tracepoint.h index a9a6e3c1113a..243fb8647cfe 100644 --- a/net/smc/smc_tracepoint.h +++ b/net/smc/smc_tracepoint.h @@ -27,7 +27,7 @@ TRACE_EVENT(smc_switch_to_fallback, ), TP_fast_assign( - const struct sock *sk = &smc->sk; + const struct sock *sk = &smc->inet.sk; const struct sock *clcsk = smc->clcsock->sk; __entry->sk = sk; @@ -55,7 +55,7 @@ DECLARE_EVENT_CLASS(smc_msg_event, ), TP_fast_assign( - const struct sock *sk = &smc->sk; + const struct sock *sk = &smc->inet.sk; __entry->smc = smc; __entry->net_cookie = sock_net(sk)->net_cookie; diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c index 214ac3cbcf9a..29e780aee677 100644 --- a/net/smc/smc_tx.c +++ b/net/smc/smc_tx.c @@ -66,9 +66,9 @@ static void smc_tx_write_space(struct sock *sk) */ void smc_tx_sndbuf_nonfull(struct smc_sock *smc) { - if (smc->sk.sk_socket && - test_bit(SOCK_NOSPACE, &smc->sk.sk_socket->flags)) - smc->sk.sk_write_space(&smc->sk); + if (smc->inet.sk.sk_socket && + test_bit(SOCK_NOSPACE, &smc->inet.sk.sk_socket->flags)) + smc->inet.sk.sk_write_space(&smc->inet.sk); } /* blocks sndbuf producer until at least one byte of free space available @@ -78,7 +78,7 @@ static int smc_tx_wait(struct smc_sock *smc, int flags) { DEFINE_WAIT_FUNC(wait, woken_wake_function); struct smc_connection *conn = &smc->conn; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; long timeo; int rc = 0; @@ -148,7 +148,7 @@ static bool smc_should_autocork(struct smc_sock *smc) int corking_size; corking_size = min_t(unsigned int, conn->sndbuf_desc->len >> 1, - sock_net(&smc->sk)->smc.sysctl_autocorking_size); + sock_net(&smc->inet.sk)->smc.sysctl_autocorking_size); if (atomic_read(&conn->cdc_pend_tx_wr) == 0 || smc_tx_prepared_sends(conn) > corking_size) @@ -184,7 +184,7 @@ int smc_tx_sendmsg(struct smc_sock *smc, struct msghdr *msg, size_t len) size_t chunk_len, chunk_off, chunk_len_sum; struct smc_connection *conn = &smc->conn; union smc_host_cursor prep; - struct sock *sk = &smc->sk; + struct sock *sk = &smc->inet.sk; char *sndbuf_base; int tx_cnt_prep; int writespace; @@ -211,8 +211,8 @@ int smc_tx_sendmsg(struct smc_sock *smc, struct msghdr *msg, size_t len) SMC_STAT_INC(smc, urg_data_cnt); while (msg_data_left(msg)) { - if (smc->sk.sk_shutdown & SEND_SHUTDOWN || - (smc->sk.sk_err == ECONNABORTED) || + if (smc->inet.sk.sk_shutdown & SEND_SHUTDOWN || + (smc->inet.sk.sk_err == ECONNABORTED) || conn->killed) return -EPIPE; if (smc_cdc_rxed_any_close(conn)) @@ -562,8 +562,8 @@ static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn) struct smc_sock *smc = container_of(conn, struct smc_sock, conn); - if (smc->sk.sk_err == ECONNABORTED) - return sock_error(&smc->sk); + if (smc->inet.sk.sk_err == ECONNABORTED) + return sock_error(&smc->inet.sk); if (conn->killed) return -EPIPE; rc = 0; @@ -664,7 +664,7 @@ void smc_tx_pending(struct smc_connection *conn) struct smc_sock *smc = container_of(conn, struct smc_sock, conn); int rc; - if (smc->sk.sk_err) + if (smc->inet.sk.sk_err) return; rc = smc_tx_sndbuf_nonempty(conn); @@ -684,9 +684,9 @@ void smc_tx_work(struct work_struct *work) tx_work); struct smc_sock *smc = container_of(conn, struct smc_sock, conn); - lock_sock(&smc->sk); + lock_sock(&smc->inet.sk); smc_tx_pending(conn); - release_sock(&smc->sk); + release_sock(&smc->inet.sk); } void smc_tx_consumer_update(struct smc_connection *conn, bool force) @@ -730,5 +730,5 @@ void smc_tx_consumer_update(struct smc_connection *conn, bool force) /* Initialize send properties on connection establishment. NB: not __init! */ void smc_tx_init(struct smc_sock *smc) { - smc->sk.sk_write_space = smc_tx_write_space; + smc->inet.sk.sk_write_space = smc_tx_write_space; } -- ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto 2024-09-19 12:43 ` Jeongjun Park @ 2024-09-19 17:34 ` syzbot 0 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2024-09-19 17:34 UTC (permalink / raw) To: aha310510, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in smc_diag_dump_proto Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 0 UID: 0 PID: 6342 Comm: syz.0.53 Not tainted 6.11.0-syzkaller-07337-g2004cef11ea0-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline] RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217 Code: 80 3c 2c 00 74 08 48 89 df e8 e3 0e 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 b8 0e 96 f6 48 8b 44 24 28 4c 8d RSP: 0018:ffffc90002f2eb00 EFLAGS: 00010a06 RAX: 1bd5a9d5a0000003 RBX: dead4ead00000018 RCX: ffff8880205c1e00 RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 RBP: ffffc90002f2ef90 R08: ffffffff8999ab82 R09: 1ffff1100fa0900b R10: dffffc0000000000 R11: ffffed100fa0900c R12: 1ffff1100fa090c5 R13: dffffc0000000000 R14: ffff88807d048000 R15: ffff888022a68010 FS: 00007f5b5848e6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5b5848dfa8 CR3: 00000000279b8000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236 netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325 __netlink_dump_start+0x5a2/0x790 net/netlink/af_netlink.c:2440 netlink_dump_start include/linux/netlink.h:339 [inline] smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251 sock_diag_rcv_msg+0x3dc/0x5f0 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 sock_sendmsg+0x134/0x200 net/socket.c:768 splice_to_socket+0xa10/0x10b0 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] do_splice+0xd68/0x18e0 fs/splice.c:1354 __do_splice fs/splice.c:1436 [inline] __do_sys_splice fs/splice.c:1652 [inline] __se_sys_splice+0x331/0x4a0 fs/splice.c:1634 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5b57775f19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5b5848e048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007f5b57906038 RCX: 00007f5b57775f19 RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f5b577e4e68 R08: 0000000080000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f5b57906038 R15: 00007ffdbb5552f8 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline] RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217 Code: 80 3c 2c 00 74 08 48 89 df e8 e3 0e 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 b8 0e 96 f6 48 8b 44 24 28 4c 8d RSP: 0018:ffffc90002f2eb00 EFLAGS: 00010a06 RAX: 1bd5a9d5a0000003 RBX: dead4ead00000018 RCX: ffff8880205c1e00 RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 RBP: ffffc90002f2ef90 R08: ffffffff8999ab82 R09: 1ffff1100fa0900b R10: dffffc0000000000 R11: ffffed100fa0900c R12: 1ffff1100fa090c5 R13: dffffc0000000000 R14: ffff88807d048000 R15: ffff888022a68010 FS: 00007f5b5848e6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5b5848dfa8 CR3: 00000000279b8000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 80 3c 2c 00 cmpb $0x0,(%rsp,%rbp,1) 4: 74 08 je 0xe 6: 48 89 df mov %rbx,%rdi 9: e8 e3 0e 96 f6 call 0xf6960ef1 e: 48 89 5c 24 30 mov %rbx,0x30(%rsp) 13: 48 8b 1b mov (%rbx),%rbx 16: 48 85 db test %rbx,%rbx 19: 0f 84 2d 02 00 00 je 0x24c 1f: 48 83 c3 18 add $0x18,%rbx 23: 48 89 d8 mov %rbx,%rax 26: 48 c1 e8 03 shr $0x3,%rax * 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction 2f: 74 08 je 0x39 31: 48 89 df mov %rbx,%rdi 34: e8 b8 0e 96 f6 call 0xf6960ef1 39: 48 8b 44 24 28 mov 0x28(%rsp),%rax 3e: 4c rex.WR 3f: 8d .byte 0x8d Tested on: commit: 2004cef1 Merge tag 'sched-core-2024-09-19' of git://gi.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1228b69f980000 kernel config: https://syzkaller.appspot.com/x/.config?x=45ec9bead13b378d dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=114ba607980000 ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [smc?] general protection fault in smc_diag_dump_proto 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot ` (5 preceding siblings ...) 2024-09-19 12:43 ` Jeongjun Park @ 2025-12-07 4:29 ` syzbot 2025-12-17 9:39 ` Alexandra Winter 2025-12-16 17:15 ` Forwarded: " syzbot ` (2 subsequent siblings) 9 siblings, 1 reply; 18+ messages in thread From: syzbot @ 2025-12-07 4:29 UTC (permalink / raw) To: agordeev, aha310510, alibuda, davem, dust.li, edumazet, gbayer, guwen, horms, jaka, julianr, kuba, linux-kernel, linux-rdma, linux-s390, lizhi.xu, netdev, pabeni, sidraya, syzkaller-bugs, tonylu, wenjia, wintera syzbot suspects this issue was fixed by commit: commit d324a2ca3f8efd57f5839aa2690554a5cbb3586f Author: Alexandra Winter <wintera@linux.ibm.com> Date: Thu Sep 18 11:04:50 2025 +0000 dibs: Register smc as dibs_client bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16d64eb4580000 start commit: dbb9a7ef3478 net: fjes: use ethtool string helpers git tree: net-next kernel config: https://syzkaller.appspot.com/x/.config?x=a9d1c42858837b59 dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178f0d5f980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10906b40580000 If the result looks correct, please mark the issue as fixed by replying with: #syz fix: dibs: Register smc as dibs_client For information about bisection process see: https://goo.gl/tpsmEJ#bisection ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [smc?] general protection fault in smc_diag_dump_proto 2025-12-07 4:29 ` [syzbot] [smc?] " syzbot @ 2025-12-17 9:39 ` Alexandra Winter 0 siblings, 0 replies; 18+ messages in thread From: Alexandra Winter @ 2025-12-17 9:39 UTC (permalink / raw) To: syzbot, agordeev, aha310510, alibuda, davem, dust.li, edumazet, gbayer, guwen, horms, jaka, julianr, kuba, linux-kernel, linux-rdma, linux-s390, lizhi.xu, netdev, pabeni, sidraya, syzkaller-bugs, tonylu, wenjia On 07.12.25 05:29, syzbot wrote: > syzbot suspects this issue was fixed by commit: > > commit d324a2ca3f8efd57f5839aa2690554a5cbb3586f > Author: Alexandra Winter <wintera@linux.ibm.com> > Date: Thu Sep 18 11:04:50 2025 +0000 > > dibs: Register smc as dibs_client > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16d64eb4580000 > start commit: dbb9a7ef3478 net: fjes: use ethtool string helpers > git tree: net-next > kernel config: https://syzkaller.appspot.com/x/.config?x=a9d1c42858837b59 > dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178f0d5f980000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10906b40580000 > > If the result looks correct, please mark the issue as fixed by replying with: > > #syz fix: dibs: Register smc as dibs_client > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection Unfortunately, I don't think d324a2ca3f8e ("dibs: Register smc as dibs_client") has fixed this issue. Iiuc https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 shows an occurrence on 2025/10/17 13:18 net-next 7e0d4c111369 that code level already contains the bisected commit 7e0d4c111369. Looking at net/smc/af_smc.c:smc_init() I think the bisected patch has changed the timing of smc_ism_init() which may have led to the bisect result. I think the issue may stem from the order of calls in smc_init(). Especially smc_nl_init(), proto_register(&smc_proto, 1), proto_register(&smc_proto6, 1), sock_register(&smc_sock_family_ops) are all being called before: INIT_HLIST_HEAD(&smc_v4_hashinfo.ht); INIT_HLIST_HEAD(&smc_v6_hashinfo.ht); I think this can lead to the described "KASAN: null-ptr-deref", when calling smc_diag_handler() while the module is still being initialized. I tried to reproduce such a race by calling smc_pnet and 'modprobe -r smc_diag smc'. But I did not hit a KASAN warning with that setting. I'll send a patch nevertheless. ^ permalink raw reply [flat|nested] 18+ messages in thread
* Forwarded: Re: [syzbot] [smc?] general protection fault in smc_diag_dump_proto 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot ` (6 preceding siblings ...) 2025-12-07 4:29 ` [syzbot] [smc?] " syzbot @ 2025-12-16 17:15 ` syzbot 2025-12-17 8:18 ` Forwarded: " syzbot 2025-12-22 9:50 ` Forwarded: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users syzbot 9 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2025-12-16 17:15 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [syzbot] [smc?] general protection fault in smc_diag_dump_proto Author: wintera@linux.ibm.com #syz test --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -3524,6 +3524,9 @@ static int __init smc_init(void) goto out_pernet_subsys_stat; smc_clc_init(); + INIT_HLIST_HEAD(&smc_v4_hashinfo.ht); + INIT_HLIST_HEAD(&smc_v6_hashinfo.ht); + rc = smc_nl_init(); if (rc) goto out_ism; @@ -3581,8 +3584,6 @@ static int __init smc_init(void) pr_err("%s: sock_register fails with %d\n", __func__, rc); goto out_proto6; } - INIT_HLIST_HEAD(&smc_v4_hashinfo.ht); - INIT_HLIST_HEAD(&smc_v6_hashinfo.ht); rc = smc_ib_register_client(); if (rc) { ^ permalink raw reply [flat|nested] 18+ messages in thread
* Forwarded: [syzbot] [smc?] general protection fault in smc_diag_dump_proto 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot ` (7 preceding siblings ...) 2025-12-16 17:15 ` Forwarded: " syzbot @ 2025-12-17 8:18 ` syzbot 2025-12-22 9:50 ` Forwarded: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users syzbot 9 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2025-12-17 8:18 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [syzbot] [smc?] general protection fault in smc_diag_dump_proto Author: wintera@linux.ibm.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git ffff5c8fc2af --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -3524,6 +3524,9 @@ static int __init smc_init(void) goto out_pernet_subsys_stat; smc_clc_init(); + INIT_HLIST_HEAD(&smc_v4_hashinfo.ht); + INIT_HLIST_HEAD(&smc_v6_hashinfo.ht); + rc = smc_nl_init(); if (rc) goto out_ism; @@ -3581,8 +3584,6 @@ static int __init smc_init(void) pr_err("%s: sock_register fails with %d\n", __func__, rc); goto out_proto6; } - INIT_HLIST_HEAD(&smc_v4_hashinfo.ht); - INIT_HLIST_HEAD(&smc_v6_hashinfo.ht); rc = smc_ib_register_client(); if (rc) { ^ permalink raw reply [flat|nested] 18+ messages in thread
* Forwarded: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users 2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot ` (8 preceding siblings ...) 2025-12-17 8:18 ` Forwarded: " syzbot @ 2025-12-22 9:50 ` syzbot 9 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2025-12-22 9:50 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users Author: wintera@linux.ibm.com On 17.12.25 16:25, Dust Li wrote: > On 2025-12-17 12:48:19, Alexandra Winter wrote: >> During initialisation of the SMC module initialize smc_v4/6_hashinfo before >> calling smc_nl_init(), proto_register() or sock_register(), to avoid a race >> that can cause use of an uninitialised pointer in case an smc protocol is >> called before the module is done initialising. >> >> syzbot report: >> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] >> Call Trace: >> <TASK> >> smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236 >> netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325 >> __netlink_dump_start+0x59f/0x780 net/netlink/af_netlink.c:2440 >> netlink_dump_start include/linux/netlink.h:339 [inline] >> smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251 >> sock_diag_rcv_msg+0x3dc/0x5f0 >> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 >> netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] >> netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357 >> netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 > > I don't think this is related to smc_nl_init(). > > Here the calltrace is smc_diag_dump(), which was registered in > sock_diag_register(&smc_diag_handler). > > But smc_nl_init() is registering the general netlink in SMC, > which is unrelated to smc_diag_dump(). I had assumed some dependency between the smc netlink diag socket and smc_nl_init() and wrongly assumed that the smc_diag_init() and smc_init() could race. I now understand that modprobe will ensure smc_diag_init() is called before smc_init(), so you are right: this patch is indeed NOT a fix for this sysbot report [1] > I think the root cause should be related to the initializing between > smc_diag.ko and smc_v4/6_hashinfo.ht. Given modprobe initializes the modules sequentially, I do not see how these could race. I guess this syszbot report was fixed by f584239a9ed2 ("net/smc: fix general protection fault in __smc_diag_dump") as reported in [2] . I'm not sure about the correct procedure, if nobody recommends a better action, I'll send a #syz dup: general protection fault in __smc_diag_dump to syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com (this one: general protection fault in smc_diag_dump_proto [1]) I still think initializing the hashtables before smc_nl_init() makes sense. I'll resend this patch without mentioning syzbot. ----- [1] https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 [2] https://syzkaller.appspot.com/bug?extid=f775be4458668f7d220e ^ permalink raw reply [flat|nested] 18+ messages in thread
[parent not found: <20240812092841.3289430-1-lizhi.xu@windriver.com>]
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto [not found] <20240812092841.3289430-1-lizhi.xu@windriver.com> @ 2024-08-12 19:49 ` syzbot 0 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2024-08-12 19:49 UTC (permalink / raw) To: linux-kernel, lizhi.xu, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in smc_diag_dump_proto Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 6159 Comm: syz.0.21 Not tainted 6.10.0-syzkaller-09703-gd7e78951a8b8-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline] RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217 Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89 RSP: 0018:ffffc9000358eb00 EFLAGS: 00010203 RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff888069659e00 RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 RBP: ffffc9000358ef90 R08: ffffffff8990c562 R09: 1ffff1100eef084b R10: dffffc0000000000 R11: ffffed100eef084c R12: 1ffff1100eef08e0 R13: ffff8880777f0014 R14: ffff888077784200 R15: dffffc0000000000 FS: 00007fddae9ea6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fddae9e9fa8 CR3: 00000000736f2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236 netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325 __netlink_dump_start+0x59f/0x780 net/netlink/af_netlink.c:2440 netlink_dump_start include/linux/netlink.h:339 [inline] smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251 sock_diag_rcv_msg+0x3dc/0x5f0 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 sock_sendmsg+0x134/0x200 net/socket.c:768 splice_to_socket+0xa13/0x10b0 fs/splice.c:889 do_splice_from fs/splice.c:941 [inline] do_splice+0xd77/0x1900 fs/splice.c:1354 __do_splice fs/splice.c:1436 [inline] __do_sys_splice fs/splice.c:1652 [inline] __se_sys_splice+0x331/0x4a0 fs/splice.c:1634 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fddadb75f19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fddae9ea048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 00007fddadd06038 RCX: 00007fddadb75f19 RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007fddadbe4e68 R08: 0000000080000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007fddadd06038 R15: 00007ffc243501f8 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline] RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217 Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89 RSP: 0018:ffffc9000358eb00 EFLAGS: 00010203 RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff888069659e00 RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000 RBP: ffffc9000358ef90 R08: ffffffff8990c562 R09: 1ffff1100eef084b R10: dffffc0000000000 R11: ffffed100eef084c R12: 1ffff1100eef08e0 R13: ffff8880777f0014 R14: ffff888077784200 R15: dffffc0000000000 FS: 00007fddae9ea6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fddae9e9fa8 CR3: 00000000736f2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 08 48 89 or %cl,-0x77(%rax) 3: df e8 fucomip %st(0),%st 5: f8 clc 6: 0d 9d f6 48 8b or $0x8b48f69d,%eax b: 44 24 28 rex.R and $0x28,%al e: 4c 8d 68 14 lea 0x14(%rax),%r13 12: 48 8b 1b mov (%rbx),%rbx 15: 48 83 c3 0e add $0xe,%rbx 19: 48 89 d8 mov %rbx,%rax 1c: 48 c1 e8 03 shr $0x3,%rax 20: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15 27: fc ff df * 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction 2f: 84 c0 test %al,%al 31: 0f 85 46 1b 00 00 jne 0x1b7d 37: 0f b7 1b movzwl (%rbx),%ebx 3a: 66 c1 c3 08 rol $0x8,%bx 3e: 4c rex.WR 3f: 89 .byte 0x89 Tested on: commit: d7e78951 Merge tag 'net-6.11-rc0' of git://git.kernel... git tree: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git console output: https://syzkaller.appspot.com/x/log.txt?x=137931c5980000 kernel config: https://syzkaller.appspot.com/x/.config?x=a6f4e2cb79bdcd45 dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=1363c96d980000 ^ permalink raw reply [flat|nested] 18+ messages in thread
[parent not found: <150BE896-1707-44C5-B741-C9F42F712269@gmail.com>]
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto [not found] <150BE896-1707-44C5-B741-C9F42F712269@gmail.com> @ 2024-08-13 1:22 ` syzbot 0 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2024-08-13 1:22 UTC (permalink / raw) To: aha310510, linux-kernel, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file net/smc/smc.h patch: **** malformed patch at line 6: diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c Tested on: commit: d74da846 Merge tag 'platform-drivers-x86-v6.11-3' of g.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=a6f4e2cb79bdcd45 dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=171c9d13980000 ^ permalink raw reply [flat|nested] 18+ messages in thread
[parent not found: <20240813032139.161994-1-aha310510@gmail.com>]
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto [not found] <20240813032139.161994-1-aha310510@gmail.com> @ 2024-08-13 3:58 ` syzbot 0 siblings, 0 replies; 18+ messages in thread From: syzbot @ 2024-08-13 3:58 UTC (permalink / raw) To: aha310510, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com Tested-by: syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com Tested on: commit: d74da846 Merge tag 'platform-drivers-x86-v6.11-3' of g.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14c6fee5980000 kernel config: https://syzkaller.appspot.com/x/.config?x=801d05d1ea4be1b8 dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=1046fee5980000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2025-12-22 9:50 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
2024-08-12 9:28 ` [syzbot] " syzbot
2024-08-13 1:16 ` syzbot
2024-08-13 3:21 ` syzbot
2024-09-18 9:05 ` Jeongjun Park
2024-09-18 12:13 ` syzbot
2024-09-18 16:04 ` Jeongjun Park
2024-09-18 16:43 ` syzbot
2024-09-19 12:43 ` Jeongjun Park
2024-09-19 17:34 ` syzbot
2025-12-07 4:29 ` [syzbot] [smc?] " syzbot
2025-12-17 9:39 ` Alexandra Winter
2025-12-16 17:15 ` Forwarded: " syzbot
2025-12-17 8:18 ` Forwarded: " syzbot
2025-12-22 9:50 ` Forwarded: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users syzbot
[not found] <20240812092841.3289430-1-lizhi.xu@windriver.com>
2024-08-12 19:49 ` [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
[not found] <150BE896-1707-44C5-B741-C9F42F712269@gmail.com>
2024-08-13 1:22 ` syzbot
[not found] <20240813032139.161994-1-aha310510@gmail.com>
2024-08-13 3:58 ` syzbot
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.