From: Dust Li <dust.li@linux.alibaba.com>
To: Alexandra Winter <wintera@linux.ibm.com>,
David Miller <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"D. Wythe" <alibuda@linux.alibaba.com>,
Sidraya Jayagond <sidraya@linux.ibm.com>,
Wenjia Zhang <wenjia@linux.ibm.com>
Cc: netdev@vger.kernel.org, linux-s390@vger.kernel.org,
Aswin Karuvally <aswin@linux.ibm.com>,
Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
Simon Horman <horms@kernel.org>,
Mahanta Jambigi <mjambigi@linux.ibm.com>,
Tony Lu <tonylu@linux.alibaba.com>,
Wen Gu <guwen@linux.alibaba.com>,
linux-rdma@vger.kernel.org, stable@vger.kernel.org,
syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com
Subject: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users
Date: Wed, 17 Dec 2025 23:25:38 +0800 [thread overview]
Message-ID: <aULLcudhF10_sZO6@linux.alibaba.com> (raw)
In-Reply-To: <20251217114819.2725882-1-wintera@linux.ibm.com>
On 2025-12-17 12:48:19, Alexandra Winter wrote:
>During initialisation of the SMC module initialize smc_v4/6_hashinfo before
>calling smc_nl_init(), proto_register() or sock_register(), to avoid a race
>that can cause use of an uninitialised pointer in case an smc protocol is
>called before the module is done initialising.
>
>syzbot report:
>KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
>Call Trace:
> <TASK>
> smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
> netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325
> __netlink_dump_start+0x59f/0x780 net/netlink/af_netlink.c:2440
> netlink_dump_start include/linux/netlink.h:339 [inline]
> smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
> sock_diag_rcv_msg+0x3dc/0x5f0
> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
> netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
> netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357
> netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
I don't think this is related to smc_nl_init().
Here the calltrace is smc_diag_dump(), which was registered in
sock_diag_register(&smc_diag_handler).
But smc_nl_init() is registering the general netlink in SMC,
which is unrelated to smc_diag_dump().
I think the root cause should be related to the initializing between
smc_diag.ko and smc_v4/6_hashinfo.ht.
The change in your previous patch 'dibs: Register smc as dibs_client'
may change the possiblity to this bug.
Best regards,
Dust
>
>Fixes: f16a7dd5cf27 ("smc: netlink interface for SMC sockets")
>Reported-by: syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com
>Closes: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
>Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
>---
> net/smc/af_smc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
>diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
>index f97f77b041d9..b0f4405fb714 100644
>--- a/net/smc/af_smc.c
>+++ b/net/smc/af_smc.c
>@@ -3524,6 +3524,9 @@ static int __init smc_init(void)
> goto out_pernet_subsys_stat;
> smc_clc_init();
>
>+ INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
>+ INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
>+
> rc = smc_nl_init();
> if (rc)
> goto out_ism;
>@@ -3581,8 +3584,6 @@ static int __init smc_init(void)
> pr_err("%s: sock_register fails with %d\n", __func__, rc);
> goto out_proto6;
> }
>- INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
>- INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
>
> rc = smc_ib_register_client();
> if (rc) {
>--
>2.51.0
next prev parent reply other threads:[~2025-12-17 15:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-17 11:48 [PATCH net] net/smc: Initialize smc hashtables before registering users Alexandra Winter
2025-12-17 11:50 ` kernel test robot
2025-12-17 15:25 ` Dust Li [this message]
2025-12-22 9:50 ` Alexandra Winter
2025-12-23 8:00 ` Dust Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aULLcudhF10_sZO6@linux.alibaba.com \
--to=dust.li@linux.alibaba.com \
--cc=agordeev@linux.ibm.com \
--cc=alibuda@linux.alibaba.com \
--cc=andrew+netdev@lunn.ch \
--cc=aswin@linux.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gor@linux.ibm.com \
--cc=guwen@linux.alibaba.com \
--cc=hca@linux.ibm.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjambigi@linux.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sidraya@linux.ibm.com \
--cc=stable@vger.kernel.org \
--cc=svens@linux.ibm.com \
--cc=syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com \
--cc=tonylu@linux.alibaba.com \
--cc=wenjia@linux.ibm.com \
--cc=wintera@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.