From: Dust Li <dust.li@linux.alibaba.com>
To: Weiming Shi <bestswngs@gmail.com>,
"D . Wythe" <alibuda@linux.alibaba.com>,
Sidraya Jayagond <sidraya@linux.ibm.com>,
Wenjia Zhang <wenjia@linux.ibm.com>,
"David S . Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: Mahanta Jambigi <mjambigi@linux.ibm.com>,
Tony Lu <tonylu@linux.alibaba.com>,
Wen Gu <guwen@linux.alibaba.com>, Simon Horman <horms@kernel.org>,
Ursula Braun <ubraun@linux.vnet.ibm.com>,
Ren Wei <n05ec@lzu.edu.cn>,
linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org,
netdev@vger.kernel.org, Xiang Mei <xmei5@asu.edu>
Subject: Re: [PATCH net] net/smc: fix NULL pointer dereference in smc_clc_wait_msg()
Date: Thu, 23 Apr 2026 19:18:35 +0800 [thread overview]
Message-ID: <aeoAC_rsoqNpmAdl@linux.alibaba.com> (raw)
In-Reply-To: <20260423100205.1093987-3-bestswngs@gmail.com>
On 2026-04-23 03:02:07, Weiming Shi wrote:
Hi Weiming,
Ren Wei has already send the patch to the mailist
[PATCH net 1/1] net/smc: avoid early lgr access in smc_clc_wait_msg
Best regards,
Dust
>In smc_listen_work(), smc_clc_wait_msg() is called to wait for a CLC
>PROPOSAL message before any link group has been created, so
>smc->conn.lgr is still NULL at this point. smc_clc_wait_msg() also
>accepts CLC DECLINE messages regardless of the expected type. When a
>DECLINE with SMC_FIRST_CONTACT_MASK set in hdr.typev2 arrives, the code
>unconditionally dereferences smc->conn.lgr to set sync_err, causing a
>NULL pointer dereference.
>
>KASAN reported a null-ptr-deref in smc_clc_wait_msg():
>
> Oops: general protection fault, 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000310-0x0000000000000317]
> RIP: 0010:smc_clc_wait_msg (net/smc/smc_clc.c:793)
> Call Trace:
> <TASK>
> smc_listen_work (net/smc/af_smc.c:2491)
> process_one_work (kernel/workqueue.c:3281)
> worker_thread (kernel/workqueue.c:3440)
> kthread (kernel/kthread.c:436)
> ret_from_fork (arch/x86/kernel/process.c:164)
> ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
> </TASK>
> Kernel panic - not syncing: Fatal exception
>
>Add a NULL check for smc->conn.lgr before dereferencing it.
>
>Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
>Reported-by: Xiang Mei <xmei5@asu.edu>
>Signed-off-by: Weiming Shi <bestswngs@gmail.com>
>---
> net/smc/smc_clc.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
>diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
>index c38fc7bf0a7e..d22c9417d239 100644
>--- a/net/smc/smc_clc.c
>+++ b/net/smc/smc_clc.c
>@@ -790,8 +790,10 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
> smc->peer_diagnosis = ntohl(dclc->peer_diagnosis);
> if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 &
> SMC_FIRST_CONTACT_MASK) {
>- smc->conn.lgr->sync_err = 1;
>- smc_lgr_terminate_sched(smc->conn.lgr);
>+ if (smc->conn.lgr) {
>+ smc->conn.lgr->sync_err = 1;
>+ smc_lgr_terminate_sched(smc->conn.lgr);
>+ }
> }
> }
>
>--
>2.43.0
prev parent reply other threads:[~2026-04-23 11:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 10:02 [PATCH net] net/smc: fix NULL pointer dereference in smc_clc_wait_msg() Weiming Shi
2026-04-23 11:18 ` Dust Li [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeoAC_rsoqNpmAdl@linux.alibaba.com \
--to=dust.li@linux.alibaba.com \
--cc=alibuda@linux.alibaba.com \
--cc=bestswngs@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=guwen@linux.alibaba.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mjambigi@linux.ibm.com \
--cc=n05ec@lzu.edu.cn \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sidraya@linux.ibm.com \
--cc=tonylu@linux.alibaba.com \
--cc=ubraun@linux.vnet.ibm.com \
--cc=wenjia@linux.ibm.com \
--cc=xmei5@asu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.