* [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
@ 2024-08-09 16:27 syzbot
2024-08-12 9:28 ` [syzbot] " syzbot
` (9 more replies)
0 siblings, 10 replies; 18+ messages in thread
From: syzbot @ 2024-08-09 16:27 UTC (permalink / raw)
To: agordeev, alibuda, davem, edumazet, guwen, jaka, kuba,
linux-kernel, linux-s390, netdev, pabeni, syzkaller-bugs, tonylu,
wenjia
Hello,
syzbot found the following issue on:
HEAD commit: d7e78951a8b8 Merge tag 'net-6.11-rc0' of git://git.kernel...
git tree: net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=173cfd3d980000
kernel config: https://syzkaller.appspot.com/x/.config?x=a6f4e2cb79bdcd45
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15900a9d980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1008b645980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b22bae2c3c1/disk-d7e78951.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/37db35e4bb64/vmlinux-d7e78951.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e489cf2c28e/bzImage-d7e78951.xz
Bisection is inconclusive: the first bad commit could be any of:
5bcd9a0a5995 wifi: brcm80211: remove unused structs
f29dcae96ec8 Merge tag 'rtw-next-2024-06-04' of https://github.com/pkshih/rtw
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17196f19980000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 6338 Comm: syz-executor175 Not tainted 6.10.0-syzkaller-09703-gd7e78951a8b8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89
RSP: 0018:ffffc90009d56b00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff88807c439e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc90009d56f90 R08: ffffffff8990c562 R09: 1ffff11005a1084b
R10: dffffc0000000000 R11: ffffed1005a1084c R12: 1ffff11005a108e0
R13: ffff88801f600014 R14: ffff88802d084200 R15: dffffc0000000000
FS: 00007f92fcb0b6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92fcb0bd58 CR3: 000000002290e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325
__netlink_dump_start+0x59f/0x780 net/netlink/af_netlink.c:2440
netlink_dump_start include/linux/netlink.h:339 [inline]
smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
sock_diag_rcv_msg+0x3dc/0x5f0
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
sock_sendmsg+0x134/0x200 net/socket.c:768
splice_to_socket+0xa13/0x10b0 fs/splice.c:889
do_splice_from fs/splice.c:941 [inline]
do_splice+0xd77/0x1900 fs/splice.c:1354
__do_splice fs/splice.c:1436 [inline]
__do_sys_splice fs/splice.c:1652 [inline]
__se_sys_splice+0x331/0x4a0 fs/splice.c:1634
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f92fcb924d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f92fcb0b218 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f92fcb0b6c0 RCX: 00007f92fcb924d9
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f92fcc1c348 R08: 0000000080000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92fcc1c340
R13: 00007f92fcbe9074 R14: 00007ffd7bd61c20 R15: 00007ffd7bd61d08
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89
RSP: 0018:ffffc90009d56b00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff88807c439e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc90009d56f90 R08: ffffffff8990c562 R09: 1ffff11005a1084b
R10: dffffc0000000000 R11: ffffed1005a1084c R12: 1ffff11005a108e0
R13: ffff88801f600014 R14: ffff88802d084200 R15: dffffc0000000000
FS: 00007f92fcb0b6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92fcb0bd58 CR3: 000000002290e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 48 89 or %cl,-0x77(%rax)
3: df e8 fucomip %st(0),%st
5: f8 clc
6: 0d 9d f6 48 8b or $0x8b48f69d,%eax
b: 44 24 28 rex.R and $0x28,%al
e: 4c 8d 68 14 lea 0x14(%rax),%r13
12: 48 8b 1b mov (%rbx),%rbx
15: 48 83 c3 0e add $0xe,%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
27: fc ff df
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 46 1b 00 00 jne 0x1b7d
37: 0f b7 1b movzwl (%rbx),%ebx
3a: 66 c1 c3 08 rol $0x8,%bx
3e: 4c rex.WR
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
@ 2024-08-12 9:28 ` syzbot
2024-08-13 1:16 ` syzbot
` (8 subsequent siblings)
9 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2024-08-12 9:28 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
Author: lizhi.xu@windriver.com
out already closed
#syz test: net-next d7e78951a8b8
diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..67a5965c0793 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1647,7 +1647,7 @@ SYSCALL_DEFINE6(splice, int, fd_in, loff_t __user *, off_in,
error = -EBADF;
in = fdget(fd_in);
if (in.file) {
- out = fdget(fd_out);
+ out = fdget_raw(fd_out);
if (out.file) {
error = __do_splice(in.file, off_in, out.file, off_out,
len, flags);
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
[not found] <20240812092841.3289430-1-lizhi.xu@windriver.com>
@ 2024-08-12 19:49 ` syzbot
0 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2024-08-12 19:49 UTC (permalink / raw)
To: linux-kernel, lizhi.xu, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in smc_diag_dump_proto
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 6159 Comm: syz.0.21 Not tainted 6.10.0-syzkaller-09703-gd7e78951a8b8-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89
RSP: 0018:ffffc9000358eb00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff888069659e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc9000358ef90 R08: ffffffff8990c562 R09: 1ffff1100eef084b
R10: dffffc0000000000 R11: ffffed100eef084c R12: 1ffff1100eef08e0
R13: ffff8880777f0014 R14: ffff888077784200 R15: dffffc0000000000
FS: 00007fddae9ea6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fddae9e9fa8 CR3: 00000000736f2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325
__netlink_dump_start+0x59f/0x780 net/netlink/af_netlink.c:2440
netlink_dump_start include/linux/netlink.h:339 [inline]
smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
sock_diag_rcv_msg+0x3dc/0x5f0
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
sock_sendmsg+0x134/0x200 net/socket.c:768
splice_to_socket+0xa13/0x10b0 fs/splice.c:889
do_splice_from fs/splice.c:941 [inline]
do_splice+0xd77/0x1900 fs/splice.c:1354
__do_splice fs/splice.c:1436 [inline]
__do_sys_splice fs/splice.c:1652 [inline]
__se_sys_splice+0x331/0x4a0 fs/splice.c:1634
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fddadb75f19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fddae9ea048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007fddadd06038 RCX: 00007fddadb75f19
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fddadbe4e68 R08: 0000000080000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fddadd06038 R15: 00007ffc243501f8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89
RSP: 0018:ffffc9000358eb00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff888069659e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc9000358ef90 R08: ffffffff8990c562 R09: 1ffff1100eef084b
R10: dffffc0000000000 R11: ffffed100eef084c R12: 1ffff1100eef08e0
R13: ffff8880777f0014 R14: ffff888077784200 R15: dffffc0000000000
FS: 00007fddae9ea6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fddae9e9fa8 CR3: 00000000736f2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 48 89 or %cl,-0x77(%rax)
3: df e8 fucomip %st(0),%st
5: f8 clc
6: 0d 9d f6 48 8b or $0x8b48f69d,%eax
b: 44 24 28 rex.R and $0x28,%al
e: 4c 8d 68 14 lea 0x14(%rax),%r13
12: 48 8b 1b mov (%rbx),%rbx
15: 48 83 c3 0e add $0xe,%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
27: fc ff df
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 46 1b 00 00 jne 0x1b7d
37: 0f b7 1b movzwl (%rbx),%ebx
3a: 66 c1 c3 08 rol $0x8,%bx
3e: 4c rex.WR
3f: 89 .byte 0x89
Tested on:
commit: d7e78951 Merge tag 'net-6.11-rc0' of git://git.kernel...
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=137931c5980000
kernel config: https://syzkaller.appspot.com/x/.config?x=a6f4e2cb79bdcd45
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1363c96d980000
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
2024-08-12 9:28 ` [syzbot] " syzbot
@ 2024-08-13 1:16 ` syzbot
2024-08-13 3:21 ` syzbot
` (7 subsequent siblings)
9 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2024-08-13 1:16 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
Author: aha310510@gmail.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
net/smc/smc.h | 19 ++++++++++---------
net/smc/smc_inet.c | 24 +++++++++++++++---------
2 files changed, 25 insertions(+), 18 deletions(-)
diff --git a/net/smc/smc.h b/net/smc/smc.h
index 34b781e463c4..f4d9338b5ed5 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -284,15 +284,6 @@ struct smc_connection {
struct smc_sock { /* smc sock container */
struct sock sk;
- struct socket *clcsock; /* internal tcp socket */
- void (*clcsk_state_change)(struct sock *sk);
- /* original stat_change fct. */
- void (*clcsk_data_ready)(struct sock *sk);
- /* original data_ready fct. */
- void (*clcsk_write_space)(struct sock *sk);
- /* original write_space fct. */
- void (*clcsk_error_report)(struct sock *sk);
- /* original error_report fct. */
struct smc_connection conn; /* smc connection */
struct smc_sock *listen_smc; /* listen parent */
struct work_struct connect_work; /* handle non-blocking connect*/
@@ -325,6 +316,16 @@ struct smc_sock { /* smc sock container */
/* protects clcsock of a listen
* socket
* */
+ struct socket *clcsock; /* internal tcp socket */
+ void (*clcsk_state_change)(struct sock *sk);
+ /* original stat_change fct. */
+ void (*clcsk_data_ready)(struct sock *sk);
+ /* original data_ready fct. */
+ void (*clcsk_write_space)(struct sock *sk);
+ /* original write_space fct. */
+ void (*clcsk_error_report)(struct sock *sk);
+ /* original error_report fct. */
+
};
#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, sk)
diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c
index bece346dd8e9..3c54faef6042 100644
--- a/net/smc/smc_inet.c
+++ b/net/smc/smc_inet.c
@@ -60,16 +60,22 @@ static struct inet_protosw smc_inet_protosw = {
};
#if IS_ENABLED(CONFIG_IPV6)
+struct smc6_sock {
+ struct smc_sock smc;
+ struct ipv6_pinfo np;
+};
+
static struct proto smc_inet6_prot = {
- .name = "INET6_SMC",
- .owner = THIS_MODULE,
- .init = smc_inet_init_sock,
- .hash = smc_hash_sk,
- .unhash = smc_unhash_sk,
- .release_cb = smc_release_cb,
- .obj_size = sizeof(struct smc_sock),
- .h.smc_hash = &smc_v6_hashinfo,
- .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ .name = "INET6_SMC",
+ .owner = THIS_MODULE,
+ .init = smc_inet_init_sock,
+ .hash = smc_hash_sk,
+ .unhash = smc_unhash_sk,
+ .release_cb = smc_release_cb,
+ .obj_size = sizeof(struct smc6_sock),
+ .h.smc_hash = &smc_v6_hashinfo,
+ .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ .ipv6_pinfo_offset = offsetof(struct smc6_sock, np),
};
static const struct proto_ops smc_inet6_stream_ops = {
--
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
[not found] <150BE896-1707-44C5-B741-C9F42F712269@gmail.com>
@ 2024-08-13 1:22 ` syzbot
0 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2024-08-13 1:22 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file net/smc/smc.h
patch: **** malformed patch at line 6: diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c
Tested on:
commit: d74da846 Merge tag 'platform-drivers-x86-v6.11-3' of g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=a6f4e2cb79bdcd45
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=171c9d13980000
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
2024-08-12 9:28 ` [syzbot] " syzbot
2024-08-13 1:16 ` syzbot
@ 2024-08-13 3:21 ` syzbot
2024-09-18 9:05 ` Jeongjun Park
` (6 subsequent siblings)
9 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2024-08-13 3:21 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
Author: aha310510@gmail.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
net/smc/smc.h | 19 ++++++++++---------
net/smc/smc_inet.c | 24 +++++++++++++++---------
2 files changed, 25 insertions(+), 18 deletions(-)
diff --git a/net/smc/smc.h b/net/smc/smc.h
index 34b781e463c4..f4d9338b5ed5 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -284,15 +284,6 @@ struct smc_connection {
struct smc_sock { /* smc sock container */
struct sock sk;
- struct socket *clcsock; /* internal tcp socket */
- void (*clcsk_state_change)(struct sock *sk);
- /* original stat_change fct. */
- void (*clcsk_data_ready)(struct sock *sk);
- /* original data_ready fct. */
- void (*clcsk_write_space)(struct sock *sk);
- /* original write_space fct. */
- void (*clcsk_error_report)(struct sock *sk);
- /* original error_report fct. */
struct smc_connection conn; /* smc connection */
struct smc_sock *listen_smc; /* listen parent */
struct work_struct connect_work; /* handle non-blocking connect*/
@@ -325,6 +316,16 @@ struct smc_sock { /* smc sock container */
/* protects clcsock of a listen
* socket
* */
+ struct socket *clcsock; /* internal tcp socket */
+ void (*clcsk_state_change)(struct sock *sk);
+ /* original stat_change fct. */
+ void (*clcsk_data_ready)(struct sock *sk);
+ /* original data_ready fct. */
+ void (*clcsk_write_space)(struct sock *sk);
+ /* original write_space fct. */
+ void (*clcsk_error_report)(struct sock *sk);
+ /* original error_report fct. */
+
};
#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, sk)
diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c
index bece346dd8e9..3c54faef6042 100644
--- a/net/smc/smc_inet.c
+++ b/net/smc/smc_inet.c
@@ -60,16 +60,22 @@ static struct inet_protosw smc_inet_protosw = {
};
#if IS_ENABLED(CONFIG_IPV6)
+struct smc6_sock {
+ struct smc_sock smc;
+ struct ipv6_pinfo np;
+};
+
static struct proto smc_inet6_prot = {
- .name = "INET6_SMC",
- .owner = THIS_MODULE,
- .init = smc_inet_init_sock,
- .hash = smc_hash_sk,
- .unhash = smc_unhash_sk,
- .release_cb = smc_release_cb,
- .obj_size = sizeof(struct smc_sock),
- .h.smc_hash = &smc_v6_hashinfo,
- .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ .name = "INET6_SMC",
+ .owner = THIS_MODULE,
+ .init = smc_inet_init_sock,
+ .hash = smc_hash_sk,
+ .unhash = smc_unhash_sk,
+ .release_cb = smc_release_cb,
+ .obj_size = sizeof(struct smc6_sock),
+ .h.smc_hash = &smc_v6_hashinfo,
+ .slab_flags = SLAB_TYPESAFE_BY_RCU,
+ .ipv6_pinfo_offset = offsetof(struct smc6_sock, np),
};
static const struct proto_ops smc_inet6_stream_ops = {
--
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
[not found] <20240813032139.161994-1-aha310510@gmail.com>
@ 2024-08-13 3:58 ` syzbot
0 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2024-08-13 3:58 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com
Tested-by: syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com
Tested on:
commit: d74da846 Merge tag 'platform-drivers-x86-v6.11-3' of g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14c6fee5980000
kernel config: https://syzkaller.appspot.com/x/.config?x=801d05d1ea4be1b8
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1046fee5980000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
` (2 preceding siblings ...)
2024-08-13 3:21 ` syzbot
@ 2024-09-18 9:05 ` Jeongjun Park
2024-09-18 12:13 ` syzbot
2024-09-18 16:04 ` Jeongjun Park
` (5 subsequent siblings)
9 siblings, 1 reply; 18+ messages in thread
From: Jeongjun Park @ 2024-09-18 9:05 UTC (permalink / raw)
To: syzbot+f69bfae0a4eb29976e44; +Cc: syzkaller-bugs, linux-kernel
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
2024-09-18 9:05 ` Jeongjun Park
@ 2024-09-18 12:13 ` syzbot
0 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2024-09-18 12:13 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in smc_diag_dump_proto
Oops: general protection fault, probably for non-canonical address 0xdffffc00000a2403: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000000512018-0x000000000051201f]
CPU: 0 UID: 0 PID: 6007 Comm: syz.1.56 Not tainted 6.11.0-syzkaller-05026-g39b3f4e0db5d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217
Code: 80 3c 2c 00 74 08 48 89 df e8 13 47 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 e8 46 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc9000232eb00 EFLAGS: 00010206
RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888021765a00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc9000232ef90 R08: ffffffff89984322 R09: 1ffff1100478378b
R10: dffffc0000000000 R11: ffffed100478378c R12: 1ffff1100478382b
R13: dffffc0000000000 R14: ffff888023c1bc00 R15: ffff88806a9a8010
FS: 00007f10eb3d36c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f10eb3d2fa8 CR3: 0000000029d36000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325
__netlink_dump_start+0x5a2/0x790 net/netlink/af_netlink.c:2440
netlink_dump_start include/linux/netlink.h:339 [inline]
smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
sock_diag_rcv_msg+0x3dc/0x5f0
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
sock_sendmsg+0x134/0x200 net/socket.c:768
splice_to_socket+0xa10/0x10b0 fs/splice.c:889
do_splice_from fs/splice.c:941 [inline]
do_splice+0xd68/0x18e0 fs/splice.c:1354
__do_splice fs/splice.c:1436 [inline]
__do_sys_splice fs/splice.c:1652 [inline]
__se_sys_splice+0x331/0x4a0 fs/splice.c:1634
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f10ea575f19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f10eb3d3048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f10ea706038 RCX: 00007f10ea575f19
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f10ea5e4e68 R08: 0000000080000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f10ea706038 R15: 00007ffc7d1ca708
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217
Code: 80 3c 2c 00 74 08 48 89 df e8 13 47 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 e8 46 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc9000232eb00 EFLAGS: 00010206
RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888021765a00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc9000232ef90 R08: ffffffff89984322 R09: 1ffff1100478378b
R10: dffffc0000000000 R11: ffffed100478378c R12: 1ffff1100478382b
R13: dffffc0000000000 R14: ffff888023c1bc00 R15: ffff88806a9a8010
FS: 00007f10eb3d36c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f10eb3d2fa8 CR3: 0000000029d36000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 80 3c 2c 00 cmpb $0x0,(%rsp,%rbp,1)
4: 74 08 je 0xe
6: 48 89 df mov %rbx,%rdi
9: e8 13 47 96 f6 call 0xf6964721
e: 48 89 5c 24 30 mov %rbx,0x30(%rsp)
13: 48 8b 1b mov (%rbx),%rbx
16: 48 85 db test %rbx,%rbx
19: 0f 84 2d 02 00 00 je 0x24c
1f: 48 83 c3 18 add $0x18,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 e8 46 96 f6 call 0xf6964721
39: 48 8b 44 24 28 mov 0x28(%rsp),%rax
3e: 4c rex.WR
3f: 8d .byte 0x8d
Tested on:
commit: 39b3f4e0 Merge tag 'hardening-v6.12-rc1' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17a1c4a9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5c3b301db2ae9f24
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
` (3 preceding siblings ...)
2024-09-18 9:05 ` Jeongjun Park
@ 2024-09-18 16:04 ` Jeongjun Park
2024-09-18 16:43 ` syzbot
2024-09-19 12:43 ` Jeongjun Park
` (4 subsequent siblings)
9 siblings, 1 reply; 18+ messages in thread
From: Jeongjun Park @ 2024-09-18 16:04 UTC (permalink / raw)
To: syzbot+f69bfae0a4eb29976e44; +Cc: syzkaller-bugs, linux-kernel
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
net/smc/smc_inet.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c
index a5b2041600f9..e101c8eee187 100644
--- a/net/smc/smc_inet.c
+++ b/net/smc/smc_inet.c
@@ -111,11 +111,17 @@ static struct inet_protosw smc_inet6_protosw = {
static int smc_inet_init_sock(struct sock *sk)
{
struct net *net = sock_net(sk);
+ int rc;
/* init common smc sock */
smc_sk_init(net, sk, IPPROTO_SMC);
/* create clcsock */
- return smc_create_clcsk(net, sk, sk->sk_family);
+ rc = smc_create_clcsk(net, sk, sk->sk_family);
+
+ if (rc)
+ sk_common_release(sk);
+
+ return rc;
}
int __init smc_inet_init(void)
--
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
2024-09-18 16:04 ` Jeongjun Park
@ 2024-09-18 16:43 ` syzbot
0 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2024-09-18 16:43 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in smc_diag_dump_proto
Oops: general protection fault, probably for non-canonical address 0xdffffc00000a2403: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000000512018-0x000000000051201f]
CPU: 0 UID: 0 PID: 6289 Comm: syz.1.16 Not tainted 6.11.0-syzkaller-05319-g4a39ac5b7d62-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217
Code: 80 3c 2c 00 74 08 48 89 df e8 a3 3a 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 78 3a 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc900030beb00 EFLAGS: 00010206
RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888026420000
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc900030bef90 R08: ffffffff89989932 R09: 1ffff1100c1b418b
R10: dffffc0000000000 R11: ffffed100c1b418c R12: 1ffff1100c1b422b
R13: dffffc0000000000 R14: ffff888060da0c00 R15: ffff88806f750010
FS: 00007f5aa99ff6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5aa99fefa8 CR3: 0000000023558000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325
__netlink_dump_start+0x5a2/0x790 net/netlink/af_netlink.c:2440
netlink_dump_start include/linux/netlink.h:339 [inline]
smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
sock_diag_rcv_msg+0x3dc/0x5f0
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
sock_sendmsg+0x134/0x200 net/socket.c:768
splice_to_socket+0xa10/0x10b0 fs/splice.c:889
do_splice_from fs/splice.c:941 [inline]
do_splice+0xd68/0x18e0 fs/splice.c:1354
__do_splice fs/splice.c:1436 [inline]
__do_sys_splice fs/splice.c:1652 [inline]
__se_sys_splice+0x331/0x4a0 fs/splice.c:1634
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5aa9f75f19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5aa99ff048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f5aaa106038 RCX: 00007f5aa9f75f19
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f5aa9fe4e68 R08: 0000000080000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f5aaa106038 R15: 00007ffe5e8646f8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217
Code: 80 3c 2c 00 74 08 48 89 df e8 a3 3a 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 78 3a 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc900030beb00 EFLAGS: 00010206
RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888026420000
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc900030bef90 R08: ffffffff89989932 R09: 1ffff1100c1b418b
R10: dffffc0000000000 R11: ffffed100c1b418c R12: 1ffff1100c1b422b
R13: dffffc0000000000 R14: ffff888060da0c00 R15: ffff88806f750010
FS: 00007f5aa99ff6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5aa99fefa8 CR3: 0000000023558000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 80 3c 2c 00 cmpb $0x0,(%rsp,%rbp,1)
4: 74 08 je 0xe
6: 48 89 df mov %rbx,%rdi
9: e8 a3 3a 96 f6 call 0xf6963ab1
e: 48 89 5c 24 30 mov %rbx,0x30(%rsp)
13: 48 8b 1b mov (%rbx),%rbx
16: 48 85 db test %rbx,%rbx
19: 0f 84 2d 02 00 00 je 0x24c
1f: 48 83 c3 18 add $0x18,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 78 3a 96 f6 call 0xf6963ab1
39: 48 8b 44 24 28 mov 0x28(%rsp),%rax
3e: 4c rex.WR
3f: 8d .byte 0x8d
Tested on:
commit: 4a39ac5b Merge tag 'random-6.12-rc1-for-linus' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=102c269f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5c3b301db2ae9f24
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=125fc4a9980000
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
` (4 preceding siblings ...)
2024-09-18 16:04 ` Jeongjun Park
@ 2024-09-19 12:43 ` Jeongjun Park
2024-09-19 17:34 ` syzbot
2025-12-07 4:29 ` [syzbot] [smc?] " syzbot
` (3 subsequent siblings)
9 siblings, 1 reply; 18+ messages in thread
From: Jeongjun Park @ 2024-09-19 12:43 UTC (permalink / raw)
To: syzbot+f69bfae0a4eb29976e44; +Cc: syzkaller-bugs, linux-kernel
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
---
net/smc/af_smc.c | 176 +++++++++++++++++++--------------------
net/smc/smc.h | 7 +-
net/smc/smc_cdc.c | 40 ++++-----
net/smc/smc_clc.c | 28 +++----
net/smc/smc_close.c | 16 ++--
net/smc/smc_core.c | 68 +++++++--------
net/smc/smc_rx.c | 16 ++--
net/smc/smc_stats.h | 10 +--
net/smc/smc_tracepoint.h | 4 +-
net/smc/smc_tx.c | 28 +++----
10 files changed, 195 insertions(+), 198 deletions(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 8e3093938cd2..d2783e715604 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -132,7 +132,7 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
sk->sk_max_ack_backlog)
goto drop;
- if (sk_acceptq_is_full(&smc->sk)) {
+ if (sk_acceptq_is_full(&smc->inet.sk)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
goto drop;
}
@@ -262,7 +262,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc)
static void smc_restore_fallback_changes(struct smc_sock *smc)
{
if (smc->clcsock->file) { /* non-accepted sockets have no file yet */
- smc->clcsock->file->private_data = smc->sk.sk_socket;
+ smc->clcsock->file->private_data = smc->inet.sk.sk_socket;
smc->clcsock->file = NULL;
smc_fback_restore_callbacks(smc);
}
@@ -270,7 +270,7 @@ static void smc_restore_fallback_changes(struct smc_sock *smc)
static int __smc_release(struct smc_sock *smc)
{
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int rc = 0;
if (!smc->use_fallback) {
@@ -327,7 +327,7 @@ int smc_release(struct socket *sock)
tcp_abort(smc->clcsock->sk, ECONNABORTED);
if (cancel_work_sync(&smc->connect_work))
- sock_put(&smc->sk); /* sock_hold in smc_connect for passive closing */
+ sock_put(&smc->inet.sk); /* sock_hold in smc_connect for passive closing */
if (sk->sk_state == SMC_LISTEN)
/* smc_close_non_accepted() is called and acquires
@@ -496,7 +496,7 @@ static void smc_copy_sock_settings(struct sock *nsk, struct sock *osk,
static void smc_copy_sock_settings_to_clc(struct smc_sock *smc)
{
- smc_copy_sock_settings(smc->clcsock->sk, &smc->sk, SK_FLAGS_SMC_TO_CLC);
+ smc_copy_sock_settings(smc->clcsock->sk, &smc->inet.sk, SK_FLAGS_SMC_TO_CLC);
}
#define SK_FLAGS_CLC_TO_SMC ((1UL << SOCK_URGINLINE) | \
@@ -506,7 +506,7 @@ static void smc_copy_sock_settings_to_clc(struct smc_sock *smc)
/* copy only settings and flags relevant for smc from clc to smc socket */
static void smc_copy_sock_settings_to_smc(struct smc_sock *smc)
{
- smc_copy_sock_settings(&smc->sk, smc->clcsock->sk, SK_FLAGS_CLC_TO_SMC);
+ smc_copy_sock_settings(&smc->inet.sk, smc->clcsock->sk, SK_FLAGS_CLC_TO_SMC);
}
/* register the new vzalloced sndbuf on all links */
@@ -757,7 +757,7 @@ static void smc_stat_inc_fback_rsn_cnt(struct smc_sock *smc,
static void smc_stat_fallback(struct smc_sock *smc)
{
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
mutex_lock(&net->smc.mutex_fback_rsn);
if (smc->listen_smc) {
@@ -776,7 +776,7 @@ static void smc_fback_wakeup_waitqueue(struct smc_sock *smc, void *key)
struct socket_wq *wq;
__poll_t flags;
- wq = rcu_dereference(smc->sk.sk_wq);
+ wq = rcu_dereference(smc->inet.sk.sk_wq);
if (!skwq_has_sleeper(wq))
return;
@@ -909,12 +909,12 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code)
smc->fallback_rsn = reason_code;
smc_stat_fallback(smc);
trace_smc_switch_to_fallback(smc, reason_code);
- if (smc->sk.sk_socket && smc->sk.sk_socket->file) {
- smc->clcsock->file = smc->sk.sk_socket->file;
+ if (smc->inet.sk.sk_socket && smc->inet.sk.sk_socket->file) {
+ smc->clcsock->file = smc->inet.sk.sk_socket->file;
smc->clcsock->file->private_data = smc->clcsock;
smc->clcsock->wq.fasync_list =
- smc->sk.sk_socket->wq.fasync_list;
- smc->sk.sk_socket->wq.fasync_list = NULL;
+ smc->inet.sk.sk_socket->wq.fasync_list;
+ smc->inet.sk.sk_socket->wq.fasync_list = NULL;
/* There might be some wait entries remaining
* in smc sk->sk_wq and they should be woken up
@@ -930,20 +930,20 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code)
/* fall back during connect */
static int smc_connect_fallback(struct smc_sock *smc, int reason_code)
{
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
int rc = 0;
rc = smc_switch_to_fallback(smc, reason_code);
if (rc) { /* fallback fails */
this_cpu_inc(net->smc.smc_stats->clnt_hshake_err_cnt);
- if (smc->sk.sk_state == SMC_INIT)
- sock_put(&smc->sk); /* passive closing */
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ sock_put(&smc->inet.sk); /* passive closing */
return rc;
}
smc_copy_sock_settings_to_clc(smc);
smc->connect_nonblock = 0;
- if (smc->sk.sk_state == SMC_INIT)
- smc->sk.sk_state = SMC_ACTIVE;
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ smc->inet.sk.sk_state = SMC_ACTIVE;
return 0;
}
@@ -951,21 +951,21 @@ static int smc_connect_fallback(struct smc_sock *smc, int reason_code)
static int smc_connect_decline_fallback(struct smc_sock *smc, int reason_code,
u8 version)
{
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
int rc;
if (reason_code < 0) { /* error, fallback is not possible */
this_cpu_inc(net->smc.smc_stats->clnt_hshake_err_cnt);
- if (smc->sk.sk_state == SMC_INIT)
- sock_put(&smc->sk); /* passive closing */
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ sock_put(&smc->inet.sk); /* passive closing */
return reason_code;
}
if (reason_code != SMC_CLC_DECL_PEERDECL) {
rc = smc_clc_send_decline(smc, reason_code, version);
if (rc < 0) {
this_cpu_inc(net->smc.smc_stats->clnt_hshake_err_cnt);
- if (smc->sk.sk_state == SMC_INIT)
- sock_put(&smc->sk); /* passive closing */
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ sock_put(&smc->inet.sk); /* passive closing */
return rc;
}
}
@@ -1050,7 +1050,7 @@ static int smc_find_ism_v2_device_clnt(struct smc_sock *smc,
continue;
is_emulated = __smc_ism_is_emulated(chid);
if (!smc_pnet_is_pnetid_set(smcd->pnetid) ||
- smc_pnet_is_ndev_pnetid(sock_net(&smc->sk), smcd->pnetid)) {
+ smc_pnet_is_ndev_pnetid(sock_net(&smc->inet.sk), smcd->pnetid)) {
if (is_emulated && entry == SMCD_CLC_MAX_V2_GID_ENTRIES)
/* It's the last GID-CHID entry left in CLC
* Proposal SMC-Dv2 extension, but an Emulated-
@@ -1200,7 +1200,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
{
struct smc_clc_first_contact_ext *fce =
smc_get_clc_first_contact_ext(aclc, false);
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
int rc;
if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1)
@@ -1347,8 +1347,8 @@ static int smc_connect_rdma(struct smc_sock *smc,
smc_copy_sock_settings_to_clc(smc);
smc->connect_nonblock = 0;
- if (smc->sk.sk_state == SMC_INIT)
- smc->sk.sk_state = SMC_ACTIVE;
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ smc->inet.sk.sk_state = SMC_ACTIVE;
return 0;
connect_abort:
@@ -1450,8 +1450,8 @@ static int smc_connect_ism(struct smc_sock *smc,
smc_copy_sock_settings_to_clc(smc);
smc->connect_nonblock = 0;
- if (smc->sk.sk_state == SMC_INIT)
- smc->sk.sk_state = SMC_ACTIVE;
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ smc->inet.sk.sk_state = SMC_ACTIVE;
return 0;
connect_abort:
@@ -1546,7 +1546,7 @@ static int __smc_connect(struct smc_sock *smc)
/* -EAGAIN on timeout, see tcp_recvmsg() */
if (rc == -EAGAIN) {
rc = -ETIMEDOUT;
- smc->sk.sk_err = ETIMEDOUT;
+ smc->inet.sk.sk_err = ETIMEDOUT;
}
goto vlan_cleanup;
}
@@ -1586,14 +1586,14 @@ static void smc_connect_work(struct work_struct *work)
{
struct smc_sock *smc = container_of(work, struct smc_sock,
connect_work);
- long timeo = smc->sk.sk_sndtimeo;
+ long timeo = smc->inet.sk.sk_sndtimeo;
int rc = 0;
if (!timeo)
timeo = MAX_SCHEDULE_TIMEOUT;
lock_sock(smc->clcsock->sk);
if (smc->clcsock->sk->sk_err) {
- smc->sk.sk_err = smc->clcsock->sk->sk_err;
+ smc->inet.sk.sk_err = smc->clcsock->sk->sk_err;
} else if ((1 << smc->clcsock->sk->sk_state) &
(TCPF_SYN_SENT | TCPF_SYN_RECV)) {
rc = sk_stream_wait_connect(smc->clcsock->sk, &timeo);
@@ -1603,33 +1603,33 @@ static void smc_connect_work(struct work_struct *work)
rc = 0;
}
release_sock(smc->clcsock->sk);
- lock_sock(&smc->sk);
- if (rc != 0 || smc->sk.sk_err) {
- smc->sk.sk_state = SMC_CLOSED;
+ lock_sock(&smc->inet.sk);
+ if (rc != 0 || smc->inet.sk.sk_err) {
+ smc->inet.sk.sk_state = SMC_CLOSED;
if (rc == -EPIPE || rc == -EAGAIN)
- smc->sk.sk_err = EPIPE;
+ smc->inet.sk.sk_err = EPIPE;
else if (rc == -ECONNREFUSED)
- smc->sk.sk_err = ECONNREFUSED;
+ smc->inet.sk.sk_err = ECONNREFUSED;
else if (signal_pending(current))
- smc->sk.sk_err = -sock_intr_errno(timeo);
- sock_put(&smc->sk); /* passive closing */
+ smc->inet.sk.sk_err = -sock_intr_errno(timeo);
+ sock_put(&smc->inet.sk); /* passive closing */
goto out;
}
rc = __smc_connect(smc);
if (rc < 0)
- smc->sk.sk_err = -rc;
+ smc->inet.sk.sk_err = -rc;
out:
- if (!sock_flag(&smc->sk, SOCK_DEAD)) {
- if (smc->sk.sk_err) {
- smc->sk.sk_state_change(&smc->sk);
+ if (!sock_flag(&smc->inet.sk, SOCK_DEAD)) {
+ if (smc->inet.sk.sk_err) {
+ smc->inet.sk.sk_state_change(&smc->inet.sk);
} else { /* allow polling before and after fallback decision */
smc->clcsock->sk->sk_write_space(smc->clcsock->sk);
- smc->sk.sk_write_space(&smc->sk);
+ smc->inet.sk.sk_write_space(&smc->inet.sk);
}
}
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
}
int smc_connect(struct socket *sock, struct sockaddr *addr,
@@ -1692,7 +1692,7 @@ int smc_connect(struct socket *sock, struct sockaddr *addr,
sock->state = rc ? SS_CONNECTING : SS_CONNECTED;
goto out;
}
- sock_hold(&smc->sk); /* sock put in passive closing */
+ sock_hold(&smc->inet.sk); /* sock put in passive closing */
if (flags & O_NONBLOCK) {
if (queue_work(smc_hs_wq, &smc->connect_work))
smc->connect_nonblock = 1;
@@ -1716,7 +1716,7 @@ int smc_connect(struct socket *sock, struct sockaddr *addr,
static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc)
{
struct socket *new_clcsock = NULL;
- struct sock *lsk = &lsmc->sk;
+ struct sock *lsk = &lsmc->inet.sk;
struct sock *new_sk;
int rc = -EINVAL;
@@ -1793,7 +1793,7 @@ static void smc_accept_unlink(struct sock *sk)
spin_lock(&par->accept_q_lock);
list_del_init(&smc_sk(sk)->accept_q);
spin_unlock(&par->accept_q_lock);
- sk_acceptq_removed(&smc_sk(sk)->listen_smc->sk);
+ sk_acceptq_removed(&smc_sk(sk)->listen_smc->inet.sk);
sock_put(sk); /* sock_hold in smc_accept_enqueue */
}
@@ -1904,28 +1904,28 @@ static int smcr_serv_conf_first_link(struct smc_sock *smc)
static void smc_listen_out(struct smc_sock *new_smc)
{
struct smc_sock *lsmc = new_smc->listen_smc;
- struct sock *newsmcsk = &new_smc->sk;
+ struct sock *newsmcsk = &new_smc->inet.sk;
if (tcp_sk(new_smc->clcsock->sk)->syn_smc)
atomic_dec(&lsmc->queued_smc_hs);
- if (lsmc->sk.sk_state == SMC_LISTEN) {
- lock_sock_nested(&lsmc->sk, SINGLE_DEPTH_NESTING);
- smc_accept_enqueue(&lsmc->sk, newsmcsk);
- release_sock(&lsmc->sk);
+ if (lsmc->inet.sk.sk_state == SMC_LISTEN) {
+ lock_sock_nested(&lsmc->inet.sk, SINGLE_DEPTH_NESTING);
+ smc_accept_enqueue(&lsmc->inet.sk, newsmcsk);
+ release_sock(&lsmc->inet.sk);
} else { /* no longer listening */
smc_close_non_accepted(newsmcsk);
}
/* Wake up accept */
- lsmc->sk.sk_data_ready(&lsmc->sk);
- sock_put(&lsmc->sk); /* sock_hold in smc_tcp_listen_work */
+ lsmc->inet.sk.sk_data_ready(&lsmc->inet.sk);
+ sock_put(&lsmc->inet.sk); /* sock_hold in smc_tcp_listen_work */
}
/* listen worker: finish in state connected */
static void smc_listen_out_connected(struct smc_sock *new_smc)
{
- struct sock *newsmcsk = &new_smc->sk;
+ struct sock *newsmcsk = &new_smc->inet.sk;
if (newsmcsk->sk_state == SMC_INIT)
newsmcsk->sk_state = SMC_ACTIVE;
@@ -1936,12 +1936,12 @@ static void smc_listen_out_connected(struct smc_sock *new_smc)
/* listen worker: finish in error state */
static void smc_listen_out_err(struct smc_sock *new_smc)
{
- struct sock *newsmcsk = &new_smc->sk;
+ struct sock *newsmcsk = &new_smc->inet.sk;
struct net *net = sock_net(newsmcsk);
this_cpu_inc(net->smc.smc_stats->srv_hshake_err_cnt);
if (newsmcsk->sk_state == SMC_INIT)
- sock_put(&new_smc->sk); /* passive closing */
+ sock_put(&new_smc->inet.sk); /* passive closing */
newsmcsk->sk_state = SMC_CLOSED;
smc_listen_out(new_smc);
@@ -2430,7 +2430,7 @@ static void smc_listen_work(struct work_struct *work)
u8 accept_version;
int rc = 0;
- if (new_smc->listen_smc->sk.sk_state != SMC_LISTEN)
+ if (new_smc->listen_smc->inet.sk.sk_state != SMC_LISTEN)
return smc_listen_out_err(new_smc);
if (new_smc->use_fallback) {
@@ -2565,7 +2565,7 @@ static void smc_tcp_listen_work(struct work_struct *work)
{
struct smc_sock *lsmc = container_of(work, struct smc_sock,
tcp_listen_work);
- struct sock *lsk = &lsmc->sk;
+ struct sock *lsk = &lsmc->inet.sk;
struct smc_sock *new_smc;
int rc = 0;
@@ -2586,14 +2586,14 @@ static void smc_tcp_listen_work(struct work_struct *work)
sock_hold(lsk); /* sock_put in smc_listen_work */
INIT_WORK(&new_smc->smc_listen_work, smc_listen_work);
smc_copy_sock_settings_to_smc(new_smc);
- sock_hold(&new_smc->sk); /* sock_put in passive closing */
+ sock_hold(&new_smc->inet.sk); /* sock_put in passive closing */
if (!queue_work(smc_hs_wq, &new_smc->smc_listen_work))
- sock_put(&new_smc->sk);
+ sock_put(&new_smc->inet.sk);
}
out:
release_sock(lsk);
- sock_put(&lsmc->sk); /* sock_hold in smc_clcsock_data_ready() */
+ sock_put(&lsmc->inet.sk); /* sock_hold in smc_clcsock_data_ready() */
}
static void smc_clcsock_data_ready(struct sock *listen_clcsock)
@@ -2605,10 +2605,10 @@ static void smc_clcsock_data_ready(struct sock *listen_clcsock)
if (!lsmc)
goto out;
lsmc->clcsk_data_ready(listen_clcsock);
- if (lsmc->sk.sk_state == SMC_LISTEN) {
- sock_hold(&lsmc->sk); /* sock_put in smc_tcp_listen_work() */
+ if (lsmc->inet.sk.sk_state == SMC_LISTEN) {
+ sock_hold(&lsmc->inet.sk); /* sock_put in smc_tcp_listen_work() */
if (!queue_work(smc_tcp_ls_wq, &lsmc->tcp_listen_work))
- sock_put(&lsmc->sk);
+ sock_put(&lsmc->inet.sk);
}
out:
read_unlock_bh(&listen_clcsock->sk_callback_lock);
@@ -2692,7 +2692,7 @@ int smc_accept(struct socket *sock, struct socket *new_sock,
sock_hold(sk); /* sock_put below */
lock_sock(sk);
- if (lsmc->sk.sk_state != SMC_LISTEN) {
+ if (lsmc->inet.sk.sk_state != SMC_LISTEN) {
rc = -EINVAL;
release_sock(sk);
goto out;
@@ -3167,36 +3167,36 @@ int smc_ioctl(struct socket *sock, unsigned int cmd,
smc = smc_sk(sock->sk);
conn = &smc->conn;
- lock_sock(&smc->sk);
+ lock_sock(&smc->inet.sk);
if (smc->use_fallback) {
if (!smc->clcsock) {
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
return -EBADF;
}
answ = smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg);
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
return answ;
}
switch (cmd) {
case SIOCINQ: /* same as FIONREAD */
- if (smc->sk.sk_state == SMC_LISTEN) {
- release_sock(&smc->sk);
+ if (smc->inet.sk.sk_state == SMC_LISTEN) {
+ release_sock(&smc->inet.sk);
return -EINVAL;
}
- if (smc->sk.sk_state == SMC_INIT ||
- smc->sk.sk_state == SMC_CLOSED)
+ if (smc->inet.sk.sk_state == SMC_INIT ||
+ smc->inet.sk.sk_state == SMC_CLOSED)
answ = 0;
else
answ = atomic_read(&smc->conn.bytes_to_rcv);
break;
case SIOCOUTQ:
/* output queue size (not send + not acked) */
- if (smc->sk.sk_state == SMC_LISTEN) {
- release_sock(&smc->sk);
+ if (smc->inet.sk.sk_state == SMC_LISTEN) {
+ release_sock(&smc->inet.sk);
return -EINVAL;
}
- if (smc->sk.sk_state == SMC_INIT ||
- smc->sk.sk_state == SMC_CLOSED)
+ if (smc->inet.sk.sk_state == SMC_INIT ||
+ smc->inet.sk.sk_state == SMC_CLOSED)
answ = 0;
else
answ = smc->conn.sndbuf_desc->len -
@@ -3204,23 +3204,23 @@ int smc_ioctl(struct socket *sock, unsigned int cmd,
break;
case SIOCOUTQNSD:
/* output queue size (not send only) */
- if (smc->sk.sk_state == SMC_LISTEN) {
- release_sock(&smc->sk);
+ if (smc->inet.sk.sk_state == SMC_LISTEN) {
+ release_sock(&smc->inet.sk);
return -EINVAL;
}
- if (smc->sk.sk_state == SMC_INIT ||
- smc->sk.sk_state == SMC_CLOSED)
+ if (smc->inet.sk.sk_state == SMC_INIT ||
+ smc->inet.sk.sk_state == SMC_CLOSED)
answ = 0;
else
answ = smc_tx_prepared_sends(&smc->conn);
break;
case SIOCATMARK:
- if (smc->sk.sk_state == SMC_LISTEN) {
- release_sock(&smc->sk);
+ if (smc->inet.sk.sk_state == SMC_LISTEN) {
+ release_sock(&smc->inet.sk);
return -EINVAL;
}
- if (smc->sk.sk_state == SMC_INIT ||
- smc->sk.sk_state == SMC_CLOSED) {
+ if (smc->inet.sk.sk_state == SMC_INIT ||
+ smc->inet.sk.sk_state == SMC_CLOSED) {
answ = 0;
} else {
smc_curs_copy(&cons, &conn->local_tx_ctrl.cons, conn);
@@ -3230,10 +3230,10 @@ int smc_ioctl(struct socket *sock, unsigned int cmd,
}
break;
default:
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
return -ENOIOCTLCMD;
}
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
return put_user(answ, (int __user *)arg);
}
@@ -3324,7 +3324,7 @@ int smc_create_clcsk(struct net *net, struct sock *sk, int family)
/* smc_clcsock_release() does not wait smc->clcsock->sk's
* destruction; its sk_state might not be TCP_CLOSE after
- * smc->sk is close()d, and TCP timers can be fired later,
+ * smc->inet.sk is close()d, and TCP timers can be fired later,
* which need net ref.
*/
sk = smc->clcsock->sk;
diff --git a/net/smc/smc.h b/net/smc/smc.h
index ad77d6b6b8d3..1caea41f04e9 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -283,10 +283,7 @@ struct smc_connection {
};
struct smc_sock { /* smc sock container */
- struct sock sk;
-#if IS_ENABLED(CONFIG_IPV6)
- struct ipv6_pinfo *pinet6;
-#endif
+ struct inet_sock inet;
struct socket *clcsock; /* internal tcp socket */
void (*clcsk_state_change)(struct sock *sk);
/* original stat_change fct. */
@@ -330,7 +327,7 @@ struct smc_sock { /* smc sock container */
* */
};
-#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, sk)
+#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, inet.sk)
static inline void smc_init_saved_callbacks(struct smc_sock *smc)
{
diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c
index 619b3bab3824..45d81c87b398 100644
--- a/net/smc/smc_cdc.c
+++ b/net/smc/smc_cdc.c
@@ -35,7 +35,7 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd,
sndbuf_desc = conn->sndbuf_desc;
smc = container_of(conn, struct smc_sock, conn);
- bh_lock_sock(&smc->sk);
+ bh_lock_sock(&smc->inet.sk);
if (!wc_status && sndbuf_desc) {
diff = smc_curs_diff(sndbuf_desc->len,
&cdcpend->conn->tx_curs_fin,
@@ -56,7 +56,7 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd,
* User context will later try to send when it release sock_lock
* in smc_release_cb()
*/
- if (sock_owned_by_user(&smc->sk))
+ if (sock_owned_by_user(&smc->inet.sk))
conn->tx_in_release_sock = true;
else
smc_tx_pending(conn);
@@ -67,7 +67,7 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd,
WARN_ON(atomic_read(&conn->cdc_pend_tx_wr) < 0);
smc_tx_sndbuf_nonfull(smc);
- bh_unlock_sock(&smc->sk);
+ bh_unlock_sock(&smc->inet.sk);
}
int smc_cdc_get_free_slot(struct smc_connection *conn,
@@ -294,7 +294,7 @@ static void smc_cdc_handle_urg_data_arrival(struct smc_sock *smc,
/* new data included urgent business */
smc_curs_copy(&conn->urg_curs, &conn->local_rx_ctrl.prod, conn);
conn->urg_state = SMC_URG_VALID;
- if (!sock_flag(&smc->sk, SOCK_URGINLINE))
+ if (!sock_flag(&smc->inet.sk, SOCK_URGINLINE))
/* we'll skip the urgent byte, so don't account for it */
(*diff_prod)--;
base = (char *)conn->rmb_desc->cpu_addr + conn->rx_off;
@@ -302,7 +302,7 @@ static void smc_cdc_handle_urg_data_arrival(struct smc_sock *smc,
conn->urg_rx_byte = *(base + conn->urg_curs.count - 1);
else
conn->urg_rx_byte = *(base + conn->rmb_desc->len - 1);
- sk_send_sigurg(&smc->sk);
+ sk_send_sigurg(&smc->inet.sk);
}
static void smc_cdc_msg_validate(struct smc_sock *smc, struct smc_cdc_msg *cdc,
@@ -321,9 +321,9 @@ static void smc_cdc_msg_validate(struct smc_sock *smc, struct smc_cdc_msg *cdc,
conn->local_tx_ctrl.conn_state_flags.peer_conn_abort = 1;
conn->lnk = link;
spin_unlock_bh(&conn->send_lock);
- sock_hold(&smc->sk); /* sock_put in abort_work */
+ sock_hold(&smc->inet.sk); /* sock_put in abort_work */
if (!queue_work(smc_close_wq, &conn->abort_work))
- sock_put(&smc->sk);
+ sock_put(&smc->inet.sk);
}
}
@@ -383,10 +383,10 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc,
atomic_add(diff_prod, &conn->bytes_to_rcv);
/* guarantee 0 <= bytes_to_rcv <= rmb_desc->len */
smp_mb__after_atomic();
- smc->sk.sk_data_ready(&smc->sk);
+ smc->inet.sk.sk_data_ready(&smc->inet.sk);
} else {
if (conn->local_rx_ctrl.prod_flags.write_blocked)
- smc->sk.sk_data_ready(&smc->sk);
+ smc->inet.sk.sk_data_ready(&smc->inet.sk);
if (conn->local_rx_ctrl.prod_flags.urg_data_pending)
conn->urg_state = SMC_URG_NOTYET;
}
@@ -395,7 +395,7 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc,
if ((diff_cons && smc_tx_prepared_sends(conn)) ||
conn->local_rx_ctrl.prod_flags.cons_curs_upd_req ||
conn->local_rx_ctrl.prod_flags.urg_data_pending) {
- if (!sock_owned_by_user(&smc->sk))
+ if (!sock_owned_by_user(&smc->inet.sk))
smc_tx_pending(conn);
else
conn->tx_in_release_sock = true;
@@ -405,32 +405,32 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc,
atomic_read(&conn->peer_rmbe_space) == conn->peer_rmbe_size) {
/* urg data confirmed by peer, indicate we're ready for more */
conn->urg_tx_pend = false;
- smc->sk.sk_write_space(&smc->sk);
+ smc->inet.sk.sk_write_space(&smc->inet.sk);
}
if (conn->local_rx_ctrl.conn_state_flags.peer_conn_abort) {
- smc->sk.sk_err = ECONNRESET;
+ smc->inet.sk.sk_err = ECONNRESET;
conn->local_tx_ctrl.conn_state_flags.peer_conn_abort = 1;
}
if (smc_cdc_rxed_any_close_or_senddone(conn)) {
- smc->sk.sk_shutdown |= RCV_SHUTDOWN;
+ smc->inet.sk.sk_shutdown |= RCV_SHUTDOWN;
if (smc->clcsock && smc->clcsock->sk)
smc->clcsock->sk->sk_shutdown |= RCV_SHUTDOWN;
- smc_sock_set_flag(&smc->sk, SOCK_DONE);
- sock_hold(&smc->sk); /* sock_put in close_work */
+ smc_sock_set_flag(&smc->inet.sk, SOCK_DONE);
+ sock_hold(&smc->inet.sk); /* sock_put in close_work */
if (!queue_work(smc_close_wq, &conn->close_work))
- sock_put(&smc->sk);
+ sock_put(&smc->inet.sk);
}
}
/* called under tasklet context */
static void smc_cdc_msg_recv(struct smc_sock *smc, struct smc_cdc_msg *cdc)
{
- sock_hold(&smc->sk);
- bh_lock_sock(&smc->sk);
+ sock_hold(&smc->inet.sk);
+ bh_lock_sock(&smc->inet.sk);
smc_cdc_msg_recv_action(smc, cdc);
- bh_unlock_sock(&smc->sk);
- sock_put(&smc->sk); /* no free sk in softirq-context */
+ bh_unlock_sock(&smc->inet.sk);
+ sock_put(&smc->inet.sk); /* no free sk in softirq-context */
}
/* Schedule a tasklet for this connection. Triggered from the ISM device IRQ
diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index 33fa787c28eb..c08ebc55f2ad 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -704,7 +704,7 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
if (signal_pending(current)) {
reason_code = -EINTR;
clc_sk->sk_err = EINTR;
- smc->sk.sk_err = EINTR;
+ smc->inet.sk.sk_err = EINTR;
goto out;
}
if (clc_sk->sk_err) {
@@ -713,17 +713,17 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
expected_type == SMC_CLC_DECLINE)
clc_sk->sk_err = 0; /* reset for fallback usage */
else
- smc->sk.sk_err = clc_sk->sk_err;
+ smc->inet.sk.sk_err = clc_sk->sk_err;
goto out;
}
if (!len) { /* peer has performed orderly shutdown */
- smc->sk.sk_err = ECONNRESET;
+ smc->inet.sk.sk_err = ECONNRESET;
reason_code = -ECONNRESET;
goto out;
}
if (len < 0) {
if (len != -EAGAIN || expected_type != SMC_CLC_DECLINE)
- smc->sk.sk_err = -len;
+ smc->inet.sk.sk_err = -len;
reason_code = len;
goto out;
}
@@ -732,7 +732,7 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
(clcm->version < SMC_V1) ||
((clcm->type != SMC_CLC_DECLINE) &&
(clcm->type != expected_type))) {
- smc->sk.sk_err = EPROTO;
+ smc->inet.sk.sk_err = EPROTO;
reason_code = -EPROTO;
goto out;
}
@@ -749,7 +749,7 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
krflags = MSG_WAITALL;
len = sock_recvmsg(smc->clcsock, &msg, krflags);
if (len < recvlen || !smc_clc_msg_hdr_valid(clcm, check_trl)) {
- smc->sk.sk_err = EPROTO;
+ smc->inet.sk.sk_err = EPROTO;
reason_code = -EPROTO;
goto out;
}
@@ -835,7 +835,7 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini)
struct smc_clc_smcd_gid_chid *gidchids;
struct smc_clc_msg_proposal_area *pclc;
struct smc_clc_ipv6_prefix *ipv6_prfx;
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
struct smc_clc_v2_extension *v2_ext;
struct smc_clc_msg_smcd *pclc_smcd;
struct smc_clc_msg_trail *trl;
@@ -1015,11 +1015,11 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini)
/* due to the few bytes needed for clc-handshake this cannot block */
len = kernel_sendmsg(smc->clcsock, &msg, vec, i, plen);
if (len < 0) {
- smc->sk.sk_err = smc->clcsock->sk->sk_err;
- reason_code = -smc->sk.sk_err;
+ smc->inet.sk.sk_err = smc->clcsock->sk->sk_err;
+ reason_code = -smc->inet.sk.sk_err;
} else if (len < ntohs(pclc_base->hdr.length)) {
reason_code = -ENETUNREACH;
- smc->sk.sk_err = -reason_code;
+ smc->inet.sk.sk_err = -reason_code;
}
kfree(pclc);
@@ -1208,10 +1208,10 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
if (len < ntohs(cclc.hdr.length)) {
if (len >= 0) {
reason_code = -ENETUNREACH;
- smc->sk.sk_err = -reason_code;
+ smc->inet.sk.sk_err = -reason_code;
} else {
- smc->sk.sk_err = smc->clcsock->sk->sk_err;
- reason_code = -smc->sk.sk_err;
+ smc->inet.sk.sk_err = smc->clcsock->sk->sk_err;
+ reason_code = -smc->inet.sk.sk_err;
}
}
return reason_code;
@@ -1239,7 +1239,7 @@ int smc_clc_srv_v2x_features_validate(struct smc_sock *smc,
struct smc_init_info *ini)
{
struct smc_clc_v2_extension *pclc_v2_ext;
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
ini->max_conns = SMC_CONN_PER_LGR_MAX;
ini->max_links = SMC_LINKS_ADD_LNK_MAX;
diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
index 10219f55aad1..74020e9eba1b 100644
--- a/net/smc/smc_close.c
+++ b/net/smc/smc_close.c
@@ -49,7 +49,7 @@ static void smc_close_cleanup_listen(struct sock *parent)
static void smc_close_stream_wait(struct smc_sock *smc, long timeout)
{
DEFINE_WAIT_FUNC(wait, woken_wake_function);
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
if (!timeout)
return;
@@ -82,7 +82,7 @@ void smc_close_wake_tx_prepared(struct smc_sock *smc)
{
if (smc->wait_close_tx_prepared)
/* wake up socket closing */
- smc->sk.sk_state_change(&smc->sk);
+ smc->inet.sk.sk_state_change(&smc->inet.sk);
}
static int smc_close_wr(struct smc_connection *conn)
@@ -113,7 +113,7 @@ int smc_close_abort(struct smc_connection *conn)
static void smc_close_cancel_work(struct smc_sock *smc)
{
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
release_sock(sk);
if (cancel_work_sync(&smc->conn.close_work))
@@ -127,7 +127,7 @@ static void smc_close_cancel_work(struct smc_sock *smc)
*/
void smc_close_active_abort(struct smc_sock *smc)
{
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
bool release_clcsock = false;
if (sk->sk_state != SMC_INIT && smc->clcsock && smc->clcsock->sk) {
@@ -195,7 +195,7 @@ int smc_close_active(struct smc_sock *smc)
struct smc_cdc_conn_state_flags *txflags =
&smc->conn.local_tx_ctrl.conn_state_flags;
struct smc_connection *conn = &smc->conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int old_state;
long timeout;
int rc = 0;
@@ -313,7 +313,7 @@ static void smc_close_passive_abort_received(struct smc_sock *smc)
{
struct smc_cdc_conn_state_flags *txflags =
&smc->conn.local_tx_ctrl.conn_state_flags;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
switch (sk->sk_state) {
case SMC_INIT:
@@ -361,7 +361,7 @@ static void smc_close_passive_work(struct work_struct *work)
struct smc_sock *smc = container_of(conn, struct smc_sock, conn);
struct smc_cdc_conn_state_flags *rxflags;
bool release_clcsock = false;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int old_state;
lock_sock(sk);
@@ -447,7 +447,7 @@ static void smc_close_passive_work(struct work_struct *work)
int smc_close_shutdown_write(struct smc_sock *smc)
{
struct smc_connection *conn = &smc->conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int old_state;
long timeout;
int rc = 0;
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 3b95828d9976..86430ab7c0ef 100644
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -180,7 +180,7 @@ static int smc_lgr_register_conn(struct smc_connection *conn, bool first)
/* find a new alert_token_local value not yet used by some connection
* in this link group
*/
- sock_hold(&smc->sk); /* sock_put in smc_lgr_unregister_conn() */
+ sock_hold(&smc->inet.sk); /* sock_put in smc_lgr_unregister_conn() */
while (!conn->alert_token_local) {
conn->alert_token_local = atomic_inc_return(&nexttoken);
if (smc_lgr_find_conn(conn->alert_token_local, conn->lgr))
@@ -203,7 +203,7 @@ static void __smc_lgr_unregister_conn(struct smc_connection *conn)
atomic_dec(&conn->lnk->conn_cnt);
lgr->conns_num--;
conn->alert_token_local = 0;
- sock_put(&smc->sk); /* sock_hold in smc_lgr_register_conn() */
+ sock_put(&smc->inet.sk); /* sock_hold in smc_lgr_register_conn() */
}
/* Unregister connection from lgr
@@ -1010,12 +1010,12 @@ static int smc_switch_cursor(struct smc_sock *smc, struct smc_cdc_tx_pend *pend,
/* recalculate, value is used by tx_rdma_writes() */
atomic_set(&smc->conn.peer_rmbe_space, smc_write_space(conn));
- if (smc->sk.sk_state != SMC_INIT &&
- smc->sk.sk_state != SMC_CLOSED) {
+ if (smc->inet.sk.sk_state != SMC_INIT &&
+ smc->inet.sk.sk_state != SMC_CLOSED) {
rc = smcr_cdc_msg_send_validation(conn, pend, wr_buf);
if (!rc) {
queue_delayed_work(conn->lgr->tx_wq, &conn->tx_work, 0);
- smc->sk.sk_data_ready(&smc->sk);
+ smc->inet.sk.sk_data_ready(&smc->inet.sk);
}
} else {
smc_wr_tx_put_slot(conn->lnk,
@@ -1072,23 +1072,23 @@ struct smc_link *smc_switch_conns(struct smc_link_group *lgr,
continue;
smc = container_of(conn, struct smc_sock, conn);
/* conn->lnk not yet set in SMC_INIT state */
- if (smc->sk.sk_state == SMC_INIT)
+ if (smc->inet.sk.sk_state == SMC_INIT)
continue;
- if (smc->sk.sk_state == SMC_CLOSED ||
- smc->sk.sk_state == SMC_PEERCLOSEWAIT1 ||
- smc->sk.sk_state == SMC_PEERCLOSEWAIT2 ||
- smc->sk.sk_state == SMC_APPFINCLOSEWAIT ||
- smc->sk.sk_state == SMC_APPCLOSEWAIT1 ||
- smc->sk.sk_state == SMC_APPCLOSEWAIT2 ||
- smc->sk.sk_state == SMC_PEERFINCLOSEWAIT ||
- smc->sk.sk_state == SMC_PEERABORTWAIT ||
- smc->sk.sk_state == SMC_PROCESSABORT) {
+ if (smc->inet.sk.sk_state == SMC_CLOSED ||
+ smc->inet.sk.sk_state == SMC_PEERCLOSEWAIT1 ||
+ smc->inet.sk.sk_state == SMC_PEERCLOSEWAIT2 ||
+ smc->inet.sk.sk_state == SMC_APPFINCLOSEWAIT ||
+ smc->inet.sk.sk_state == SMC_APPCLOSEWAIT1 ||
+ smc->inet.sk.sk_state == SMC_APPCLOSEWAIT2 ||
+ smc->inet.sk.sk_state == SMC_PEERFINCLOSEWAIT ||
+ smc->inet.sk.sk_state == SMC_PEERABORTWAIT ||
+ smc->inet.sk.sk_state == SMC_PROCESSABORT) {
spin_lock_bh(&conn->send_lock);
smc_switch_link_and_count(conn, to_lnk);
spin_unlock_bh(&conn->send_lock);
continue;
}
- sock_hold(&smc->sk);
+ sock_hold(&smc->inet.sk);
read_unlock_bh(&lgr->conns_lock);
/* pre-fetch buffer outside of send_lock, might sleep */
rc = smc_cdc_get_free_slot(conn, to_lnk, &wr_buf, NULL, &pend);
@@ -1099,7 +1099,7 @@ struct smc_link *smc_switch_conns(struct smc_link_group *lgr,
smc_switch_link_and_count(conn, to_lnk);
rc = smc_switch_cursor(smc, pend, wr_buf);
spin_unlock_bh(&conn->send_lock);
- sock_put(&smc->sk);
+ sock_put(&smc->inet.sk);
if (rc)
goto err_out;
goto again;
@@ -1442,9 +1442,9 @@ void smc_lgr_put(struct smc_link_group *lgr)
static void smc_sk_wake_ups(struct smc_sock *smc)
{
- smc->sk.sk_write_space(&smc->sk);
- smc->sk.sk_data_ready(&smc->sk);
- smc->sk.sk_state_change(&smc->sk);
+ smc->inet.sk.sk_write_space(&smc->inet.sk);
+ smc->inet.sk.sk_data_ready(&smc->inet.sk);
+ smc->inet.sk.sk_state_change(&smc->inet.sk);
}
/* kill a connection */
@@ -1457,7 +1457,7 @@ static void smc_conn_kill(struct smc_connection *conn, bool soft)
else
smc_close_abort(conn);
conn->killed = 1;
- smc->sk.sk_err = ECONNABORTED;
+ smc->inet.sk.sk_err = ECONNABORTED;
smc_sk_wake_ups(smc);
if (conn->lgr->is_smcd) {
smc_ism_unset_conn(conn);
@@ -1511,11 +1511,11 @@ static void __smc_lgr_terminate(struct smc_link_group *lgr, bool soft)
read_unlock_bh(&lgr->conns_lock);
conn = rb_entry(node, struct smc_connection, alert_node);
smc = container_of(conn, struct smc_sock, conn);
- sock_hold(&smc->sk); /* sock_put below */
- lock_sock(&smc->sk);
+ sock_hold(&smc->inet.sk); /* sock_put below */
+ lock_sock(&smc->inet.sk);
smc_conn_kill(conn, soft);
- release_sock(&smc->sk);
- sock_put(&smc->sk); /* sock_hold above */
+ release_sock(&smc->inet.sk);
+ sock_put(&smc->inet.sk); /* sock_hold above */
read_lock_bh(&lgr->conns_lock);
node = rb_first(&lgr->conns_all);
}
@@ -1684,10 +1684,10 @@ static void smc_conn_abort_work(struct work_struct *work)
abort_work);
struct smc_sock *smc = container_of(conn, struct smc_sock, conn);
- lock_sock(&smc->sk);
+ lock_sock(&smc->inet.sk);
smc_conn_kill(conn, true);
- release_sock(&smc->sk);
- sock_put(&smc->sk); /* sock_hold done by schedulers of abort_work */
+ release_sock(&smc->inet.sk);
+ sock_put(&smc->inet.sk); /* sock_hold done by schedulers of abort_work */
}
void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport)
@@ -1910,7 +1910,7 @@ static bool smcd_lgr_match(struct smc_link_group *lgr,
int smc_conn_create(struct smc_sock *smc, struct smc_init_info *ini)
{
struct smc_connection *conn = &smc->conn;
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
struct list_head *lgr_list;
struct smc_link_group *lgr;
enum smc_lgr_role role;
@@ -2370,10 +2370,10 @@ static int __smc_buf_create(struct smc_sock *smc, bool is_smcd, bool is_rmb)
if (is_rmb)
/* use socket recv buffer size (w/o overhead) as start value */
- bufsize = smc->sk.sk_rcvbuf / 2;
+ bufsize = smc->inet.sk.sk_rcvbuf / 2;
else
/* use socket send buffer size (w/o overhead) as start value */
- bufsize = smc->sk.sk_sndbuf / 2;
+ bufsize = smc->inet.sk.sk_sndbuf / 2;
for (bufsize_comp = smc_compress_bufsize(bufsize, is_smcd, is_rmb);
bufsize_comp >= 0; bufsize_comp--) {
@@ -2432,7 +2432,7 @@ static int __smc_buf_create(struct smc_sock *smc, bool is_smcd, bool is_rmb)
if (is_rmb) {
conn->rmb_desc = buf_desc;
conn->rmbe_size_comp = bufsize_comp;
- smc->sk.sk_rcvbuf = bufsize * 2;
+ smc->inet.sk.sk_rcvbuf = bufsize * 2;
atomic_set(&conn->bytes_to_rcv, 0);
conn->rmbe_update_limit =
smc_rmb_wnd_update_limit(buf_desc->len);
@@ -2440,7 +2440,7 @@ static int __smc_buf_create(struct smc_sock *smc, bool is_smcd, bool is_rmb)
smc_ism_set_conn(conn); /* map RMB/smcd_dev to conn */
} else {
conn->sndbuf_desc = buf_desc;
- smc->sk.sk_sndbuf = bufsize * 2;
+ smc->inet.sk.sk_sndbuf = bufsize * 2;
atomic_set(&conn->sndbuf_space, bufsize);
}
return 0;
@@ -2525,7 +2525,7 @@ int smcd_buf_attach(struct smc_sock *smc)
if (rc)
goto free;
- smc->sk.sk_sndbuf = buf_desc->len;
+ smc->inet.sk.sk_sndbuf = buf_desc->len;
buf_desc->cpu_addr =
(u8 *)buf_desc->cpu_addr + sizeof(struct smcd_cdc_msg);
buf_desc->len -= sizeof(struct smcd_cdc_msg);
diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c
index f0cbe77a80b4..f713d3180d67 100644
--- a/net/smc/smc_rx.c
+++ b/net/smc/smc_rx.c
@@ -60,7 +60,7 @@ static int smc_rx_update_consumer(struct smc_sock *smc,
union smc_host_cursor cons, size_t len)
{
struct smc_connection *conn = &smc->conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
bool force = false;
int diff, rc = 0;
@@ -117,7 +117,7 @@ static void smc_rx_pipe_buf_release(struct pipe_inode_info *pipe,
struct smc_spd_priv *priv = (struct smc_spd_priv *)buf->private;
struct smc_sock *smc = priv->smc;
struct smc_connection *conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
if (sk->sk_state == SMC_CLOSED ||
sk->sk_state == SMC_PEERFINCLOSEWAIT ||
@@ -211,7 +211,7 @@ static int smc_rx_splice(struct pipe_inode_info *pipe, char *src, size_t len,
bytes = splice_to_pipe(pipe, &spd);
if (bytes > 0) {
- sock_hold(&smc->sk);
+ sock_hold(&smc->inet.sk);
if (!lgr->is_smcd && smc->conn.rmb_desc->is_vm) {
for (i = 0; i < PAGE_ALIGN(bytes + offset) / PAGE_SIZE; i++)
get_page(pages[i]);
@@ -259,7 +259,7 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo,
struct smc_connection *conn = &smc->conn;
struct smc_cdc_conn_state_flags *cflags =
&conn->local_tx_ctrl.conn_state_flags;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int rc;
if (fcrit(conn))
@@ -283,7 +283,7 @@ static int smc_rx_recv_urg(struct smc_sock *smc, struct msghdr *msg, int len,
{
struct smc_connection *conn = &smc->conn;
union smc_host_cursor cons;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int rc = 0;
if (sock_flag(sk, SOCK_URGINLINE) ||
@@ -360,7 +360,7 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
if (unlikely(flags & MSG_ERRQUEUE))
return -EINVAL; /* future work for sk.sk_family == AF_SMC */
- sk = &smc->sk;
+ sk = &smc->inet.sk;
if (sk->sk_state == SMC_LISTEN)
return -ENOTCONN;
if (flags & MSG_OOB)
@@ -449,7 +449,7 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
if (splbytes)
smc_curs_add(conn->rmb_desc->len, &cons, splbytes);
if (conn->urg_state == SMC_URG_VALID &&
- sock_flag(&smc->sk, SOCK_URGINLINE) &&
+ sock_flag(&smc->inet.sk, SOCK_URGINLINE) &&
readable > 1)
readable--; /* always stop at urgent Byte */
/* not more than what user space asked for */
@@ -509,7 +509,7 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
/* Initialize receive properties on connection establishment. NB: not __init! */
void smc_rx_init(struct smc_sock *smc)
{
- smc->sk.sk_data_ready = smc_rx_wake_up;
+ smc->inet.sk.sk_data_ready = smc_rx_wake_up;
atomic_set(&smc->conn.splice_pending, 0);
smc->conn.urg_state = SMC_URG_READ;
}
diff --git a/net/smc/smc_stats.h b/net/smc/smc_stats.h
index e19177ce4092..baaac41a8974 100644
--- a/net/smc/smc_stats.h
+++ b/net/smc/smc_stats.h
@@ -108,7 +108,7 @@ while (0)
#define SMC_STAT_TX_PAYLOAD(_smc, length, rcode) \
do { \
typeof(_smc) __smc = _smc; \
- struct net *_net = sock_net(&__smc->sk); \
+ struct net *_net = sock_net(&__smc->inet.sk); \
struct smc_stats __percpu *_smc_stats = _net->smc.smc_stats; \
typeof(length) _len = (length); \
typeof(rcode) _rc = (rcode); \
@@ -123,7 +123,7 @@ while (0)
#define SMC_STAT_RX_PAYLOAD(_smc, length, rcode) \
do { \
typeof(_smc) __smc = _smc; \
- struct net *_net = sock_net(&__smc->sk); \
+ struct net *_net = sock_net(&__smc->inet.sk); \
struct smc_stats __percpu *_smc_stats = _net->smc.smc_stats; \
typeof(length) _len = (length); \
typeof(rcode) _rc = (rcode); \
@@ -154,7 +154,7 @@ while (0)
#define SMC_STAT_RMB_SIZE(_smc, _is_smcd, _is_rx, _len) \
do { \
- struct net *_net = sock_net(&(_smc)->sk); \
+ struct net *_net = sock_net(&(_smc)->inet.sk); \
struct smc_stats __percpu *_smc_stats = _net->smc.smc_stats; \
typeof(_is_smcd) is_d = (_is_smcd); \
typeof(_is_rx) is_r = (_is_rx); \
@@ -172,7 +172,7 @@ while (0)
#define SMC_STAT_RMB(_smc, type, _is_smcd, _is_rx) \
do { \
- struct net *net = sock_net(&(_smc)->sk); \
+ struct net *net = sock_net(&(_smc)->inet.sk); \
struct smc_stats __percpu *_smc_stats = net->smc.smc_stats; \
typeof(_is_smcd) is_d = (_is_smcd); \
typeof(_is_rx) is_r = (_is_rx); \
@@ -218,7 +218,7 @@ while (0)
do { \
typeof(_smc) __smc = _smc; \
bool is_smcd = !(__smc)->conn.lnk; \
- struct net *net = sock_net(&(__smc)->sk); \
+ struct net *net = sock_net(&(__smc)->inet.sk); \
struct smc_stats __percpu *smc_stats = net->smc.smc_stats; \
if ((is_smcd)) \
this_cpu_inc(smc_stats->smc[SMC_TYPE_D].type); \
diff --git a/net/smc/smc_tracepoint.h b/net/smc/smc_tracepoint.h
index a9a6e3c1113a..243fb8647cfe 100644
--- a/net/smc/smc_tracepoint.h
+++ b/net/smc/smc_tracepoint.h
@@ -27,7 +27,7 @@ TRACE_EVENT(smc_switch_to_fallback,
),
TP_fast_assign(
- const struct sock *sk = &smc->sk;
+ const struct sock *sk = &smc->inet.sk;
const struct sock *clcsk = smc->clcsock->sk;
__entry->sk = sk;
@@ -55,7 +55,7 @@ DECLARE_EVENT_CLASS(smc_msg_event,
),
TP_fast_assign(
- const struct sock *sk = &smc->sk;
+ const struct sock *sk = &smc->inet.sk;
__entry->smc = smc;
__entry->net_cookie = sock_net(sk)->net_cookie;
diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c
index 214ac3cbcf9a..29e780aee677 100644
--- a/net/smc/smc_tx.c
+++ b/net/smc/smc_tx.c
@@ -66,9 +66,9 @@ static void smc_tx_write_space(struct sock *sk)
*/
void smc_tx_sndbuf_nonfull(struct smc_sock *smc)
{
- if (smc->sk.sk_socket &&
- test_bit(SOCK_NOSPACE, &smc->sk.sk_socket->flags))
- smc->sk.sk_write_space(&smc->sk);
+ if (smc->inet.sk.sk_socket &&
+ test_bit(SOCK_NOSPACE, &smc->inet.sk.sk_socket->flags))
+ smc->inet.sk.sk_write_space(&smc->inet.sk);
}
/* blocks sndbuf producer until at least one byte of free space available
@@ -78,7 +78,7 @@ static int smc_tx_wait(struct smc_sock *smc, int flags)
{
DEFINE_WAIT_FUNC(wait, woken_wake_function);
struct smc_connection *conn = &smc->conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
long timeo;
int rc = 0;
@@ -148,7 +148,7 @@ static bool smc_should_autocork(struct smc_sock *smc)
int corking_size;
corking_size = min_t(unsigned int, conn->sndbuf_desc->len >> 1,
- sock_net(&smc->sk)->smc.sysctl_autocorking_size);
+ sock_net(&smc->inet.sk)->smc.sysctl_autocorking_size);
if (atomic_read(&conn->cdc_pend_tx_wr) == 0 ||
smc_tx_prepared_sends(conn) > corking_size)
@@ -184,7 +184,7 @@ int smc_tx_sendmsg(struct smc_sock *smc, struct msghdr *msg, size_t len)
size_t chunk_len, chunk_off, chunk_len_sum;
struct smc_connection *conn = &smc->conn;
union smc_host_cursor prep;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
char *sndbuf_base;
int tx_cnt_prep;
int writespace;
@@ -211,8 +211,8 @@ int smc_tx_sendmsg(struct smc_sock *smc, struct msghdr *msg, size_t len)
SMC_STAT_INC(smc, urg_data_cnt);
while (msg_data_left(msg)) {
- if (smc->sk.sk_shutdown & SEND_SHUTDOWN ||
- (smc->sk.sk_err == ECONNABORTED) ||
+ if (smc->inet.sk.sk_shutdown & SEND_SHUTDOWN ||
+ (smc->inet.sk.sk_err == ECONNABORTED) ||
conn->killed)
return -EPIPE;
if (smc_cdc_rxed_any_close(conn))
@@ -562,8 +562,8 @@ static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn)
struct smc_sock *smc =
container_of(conn, struct smc_sock, conn);
- if (smc->sk.sk_err == ECONNABORTED)
- return sock_error(&smc->sk);
+ if (smc->inet.sk.sk_err == ECONNABORTED)
+ return sock_error(&smc->inet.sk);
if (conn->killed)
return -EPIPE;
rc = 0;
@@ -664,7 +664,7 @@ void smc_tx_pending(struct smc_connection *conn)
struct smc_sock *smc = container_of(conn, struct smc_sock, conn);
int rc;
- if (smc->sk.sk_err)
+ if (smc->inet.sk.sk_err)
return;
rc = smc_tx_sndbuf_nonempty(conn);
@@ -684,9 +684,9 @@ void smc_tx_work(struct work_struct *work)
tx_work);
struct smc_sock *smc = container_of(conn, struct smc_sock, conn);
- lock_sock(&smc->sk);
+ lock_sock(&smc->inet.sk);
smc_tx_pending(conn);
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
}
void smc_tx_consumer_update(struct smc_connection *conn, bool force)
@@ -730,5 +730,5 @@ void smc_tx_consumer_update(struct smc_connection *conn, bool force)
/* Initialize send properties on connection establishment. NB: not __init! */
void smc_tx_init(struct smc_sock *smc)
{
- smc->sk.sk_write_space = smc_tx_write_space;
+ smc->inet.sk.sk_write_space = smc_tx_write_space;
}
--
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto
2024-09-19 12:43 ` Jeongjun Park
@ 2024-09-19 17:34 ` syzbot
0 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2024-09-19 17:34 UTC (permalink / raw)
To: aha310510, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in smc_diag_dump_proto
Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]
CPU: 0 UID: 0 PID: 6342 Comm: syz.0.53 Not tainted 6.11.0-syzkaller-07337-g2004cef11ea0-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217
Code: 80 3c 2c 00 74 08 48 89 df e8 e3 0e 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 b8 0e 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc90002f2eb00 EFLAGS: 00010a06
RAX: 1bd5a9d5a0000003 RBX: dead4ead00000018 RCX: ffff8880205c1e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc90002f2ef90 R08: ffffffff8999ab82 R09: 1ffff1100fa0900b
R10: dffffc0000000000 R11: ffffed100fa0900c R12: 1ffff1100fa090c5
R13: dffffc0000000000 R14: ffff88807d048000 R15: ffff888022a68010
FS: 00007f5b5848e6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5b5848dfa8 CR3: 00000000279b8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325
__netlink_dump_start+0x5a2/0x790 net/netlink/af_netlink.c:2440
netlink_dump_start include/linux/netlink.h:339 [inline]
smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
sock_diag_rcv_msg+0x3dc/0x5f0
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
sock_sendmsg+0x134/0x200 net/socket.c:768
splice_to_socket+0xa10/0x10b0 fs/splice.c:889
do_splice_from fs/splice.c:941 [inline]
do_splice+0xd68/0x18e0 fs/splice.c:1354
__do_splice fs/splice.c:1436 [inline]
__do_sys_splice fs/splice.c:1652 [inline]
__se_sys_splice+0x331/0x4a0 fs/splice.c:1634
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5b57775f19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5b5848e048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f5b57906038 RCX: 00007f5b57775f19
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f5b577e4e68 R08: 0000000080000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007f5b57906038 R15: 00007ffdbb5552f8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217
Code: 80 3c 2c 00 74 08 48 89 df e8 e3 0e 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 b8 0e 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc90002f2eb00 EFLAGS: 00010a06
RAX: 1bd5a9d5a0000003 RBX: dead4ead00000018 RCX: ffff8880205c1e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc90002f2ef90 R08: ffffffff8999ab82 R09: 1ffff1100fa0900b
R10: dffffc0000000000 R11: ffffed100fa0900c R12: 1ffff1100fa090c5
R13: dffffc0000000000 R14: ffff88807d048000 R15: ffff888022a68010
FS: 00007f5b5848e6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5b5848dfa8 CR3: 00000000279b8000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 80 3c 2c 00 cmpb $0x0,(%rsp,%rbp,1)
4: 74 08 je 0xe
6: 48 89 df mov %rbx,%rdi
9: e8 e3 0e 96 f6 call 0xf6960ef1
e: 48 89 5c 24 30 mov %rbx,0x30(%rsp)
13: 48 8b 1b mov (%rbx),%rbx
16: 48 85 db test %rbx,%rbx
19: 0f 84 2d 02 00 00 je 0x24c
1f: 48 83 c3 18 add $0x18,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 b8 0e 96 f6 call 0xf6960ef1
39: 48 8b 44 24 28 mov 0x28(%rsp),%rax
3e: 4c rex.WR
3f: 8d .byte 0x8d
Tested on:
commit: 2004cef1 Merge tag 'sched-core-2024-09-19' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1228b69f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=45ec9bead13b378d
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=114ba607980000
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [smc?] general protection fault in smc_diag_dump_proto
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
` (5 preceding siblings ...)
2024-09-19 12:43 ` Jeongjun Park
@ 2025-12-07 4:29 ` syzbot
2025-12-17 9:39 ` Alexandra Winter
2025-12-16 17:15 ` Forwarded: " syzbot
` (2 subsequent siblings)
9 siblings, 1 reply; 18+ messages in thread
From: syzbot @ 2025-12-07 4:29 UTC (permalink / raw)
To: agordeev, aha310510, alibuda, davem, dust.li, edumazet, gbayer,
guwen, horms, jaka, julianr, kuba, linux-kernel, linux-rdma,
linux-s390, lizhi.xu, netdev, pabeni, sidraya, syzkaller-bugs,
tonylu, wenjia, wintera
syzbot suspects this issue was fixed by commit:
commit d324a2ca3f8efd57f5839aa2690554a5cbb3586f
Author: Alexandra Winter <wintera@linux.ibm.com>
Date: Thu Sep 18 11:04:50 2025 +0000
dibs: Register smc as dibs_client
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16d64eb4580000
start commit: dbb9a7ef3478 net: fjes: use ethtool string helpers
git tree: net-next
kernel config: https://syzkaller.appspot.com/x/.config?x=a9d1c42858837b59
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178f0d5f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10906b40580000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: dibs: Register smc as dibs_client
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 18+ messages in thread
* Forwarded: Re: [syzbot] [smc?] general protection fault in smc_diag_dump_proto
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
` (6 preceding siblings ...)
2025-12-07 4:29 ` [syzbot] [smc?] " syzbot
@ 2025-12-16 17:15 ` syzbot
2025-12-17 8:18 ` Forwarded: " syzbot
2025-12-22 9:50 ` Forwarded: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users syzbot
9 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2025-12-16 17:15 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] [smc?] general protection fault in smc_diag_dump_proto
Author: wintera@linux.ibm.com
#syz test
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -3524,6 +3524,9 @@ static int __init smc_init(void)
goto out_pernet_subsys_stat;
smc_clc_init();
+ INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
+ INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
+
rc = smc_nl_init();
if (rc)
goto out_ism;
@@ -3581,8 +3584,6 @@ static int __init smc_init(void)
pr_err("%s: sock_register fails with %d\n", __func__, rc);
goto out_proto6;
}
- INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
- INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
rc = smc_ib_register_client();
if (rc) {
^ permalink raw reply [flat|nested] 18+ messages in thread
* Forwarded: [syzbot] [smc?] general protection fault in smc_diag_dump_proto
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
` (7 preceding siblings ...)
2025-12-16 17:15 ` Forwarded: " syzbot
@ 2025-12-17 8:18 ` syzbot
2025-12-22 9:50 ` Forwarded: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users syzbot
9 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2025-12-17 8:18 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [syzbot] [smc?] general protection fault in smc_diag_dump_proto
Author: wintera@linux.ibm.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git ffff5c8fc2af
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -3524,6 +3524,9 @@ static int __init smc_init(void)
goto out_pernet_subsys_stat;
smc_clc_init();
+ INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
+ INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
+
rc = smc_nl_init();
if (rc)
goto out_ism;
@@ -3581,8 +3584,6 @@ static int __init smc_init(void)
pr_err("%s: sock_register fails with %d\n", __func__, rc);
goto out_proto6;
}
- INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
- INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
rc = smc_ib_register_client();
if (rc) {
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [syzbot] [smc?] general protection fault in smc_diag_dump_proto
2025-12-07 4:29 ` [syzbot] [smc?] " syzbot
@ 2025-12-17 9:39 ` Alexandra Winter
0 siblings, 0 replies; 18+ messages in thread
From: Alexandra Winter @ 2025-12-17 9:39 UTC (permalink / raw)
To: syzbot, agordeev, aha310510, alibuda, davem, dust.li, edumazet,
gbayer, guwen, horms, jaka, julianr, kuba, linux-kernel,
linux-rdma, linux-s390, lizhi.xu, netdev, pabeni, sidraya,
syzkaller-bugs, tonylu, wenjia
On 07.12.25 05:29, syzbot wrote:
> syzbot suspects this issue was fixed by commit:
>
> commit d324a2ca3f8efd57f5839aa2690554a5cbb3586f
> Author: Alexandra Winter <wintera@linux.ibm.com>
> Date: Thu Sep 18 11:04:50 2025 +0000
>
> dibs: Register smc as dibs_client
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16d64eb4580000
> start commit: dbb9a7ef3478 net: fjes: use ethtool string helpers
> git tree: net-next
> kernel config: https://syzkaller.appspot.com/x/.config?x=a9d1c42858837b59
> dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=178f0d5f980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10906b40580000
>
> If the result looks correct, please mark the issue as fixed by replying with:
>
> #syz fix: dibs: Register smc as dibs_client
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Unfortunately, I don't think
d324a2ca3f8e ("dibs: Register smc as dibs_client")
has fixed this issue.
Iiuc https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 shows an occurrence on
2025/10/17 13:18 net-next 7e0d4c111369
that code level already contains the bisected commit 7e0d4c111369.
Looking at net/smc/af_smc.c:smc_init()
I think the bisected patch has changed the timing of smc_ism_init() which may have led to the bisect result.
I think the issue may stem from the order of calls in smc_init().
Especially smc_nl_init(), proto_register(&smc_proto, 1), proto_register(&smc_proto6, 1), sock_register(&smc_sock_family_ops)
are all being called before:
INIT_HLIST_HEAD(&smc_v4_hashinfo.ht);
INIT_HLIST_HEAD(&smc_v6_hashinfo.ht);
I think this can lead to the described "KASAN: null-ptr-deref", when calling smc_diag_handler() while the module is still being initialized.
I tried to reproduce such a race by calling smc_pnet and 'modprobe -r smc_diag smc'. But I did not hit a KASAN warning with that setting.
I'll send a patch nevertheless.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Forwarded: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
` (8 preceding siblings ...)
2025-12-17 8:18 ` Forwarded: " syzbot
@ 2025-12-22 9:50 ` syzbot
9 siblings, 0 replies; 18+ messages in thread
From: syzbot @ 2025-12-22 9:50 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users
Author: wintera@linux.ibm.com
On 17.12.25 16:25, Dust Li wrote:
> On 2025-12-17 12:48:19, Alexandra Winter wrote:
>> During initialisation of the SMC module initialize smc_v4/6_hashinfo before
>> calling smc_nl_init(), proto_register() or sock_register(), to avoid a race
>> that can cause use of an uninitialised pointer in case an smc protocol is
>> called before the module is done initialising.
>>
>> syzbot report:
>> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
>> Call Trace:
>> <TASK>
>> smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
>> netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325
>> __netlink_dump_start+0x59f/0x780 net/netlink/af_netlink.c:2440
>> netlink_dump_start include/linux/netlink.h:339 [inline]
>> smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
>> sock_diag_rcv_msg+0x3dc/0x5f0
>> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
>> netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
>> netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357
>> netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
>
> I don't think this is related to smc_nl_init().
>
> Here the calltrace is smc_diag_dump(), which was registered in
> sock_diag_register(&smc_diag_handler).
>
> But smc_nl_init() is registering the general netlink in SMC,
> which is unrelated to smc_diag_dump().
I had assumed some dependency between the smc netlink diag socket and smc_nl_init()
and wrongly assumed that the smc_diag_init() and smc_init() could race.
I now understand that modprobe will ensure smc_diag_init() is called before smc_init(),
so you are right: this patch is indeed NOT a fix for this sysbot report [1]
> I think the root cause should be related to the initializing between
> smc_diag.ko and smc_v4/6_hashinfo.ht.
Given modprobe initializes the modules sequentially, I do not see how these could race.
I guess this syszbot report was fixed by
f584239a9ed2 ("net/smc: fix general protection fault in __smc_diag_dump")
as reported in [2] .
I'm not sure about the correct procedure, if nobody recommends a better action, I'll send a
#syz dup: general protection fault in __smc_diag_dump
to
syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com
(this one: general protection fault in smc_diag_dump_proto [1])
I still think initializing the hashtables before smc_nl_init()
makes sense. I'll resend this patch without mentioning syzbot.
-----
[1] https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
[2] https://syzkaller.appspot.com/bug?extid=f775be4458668f7d220e
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2025-12-22 9:50 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-09 16:27 [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
2024-08-12 9:28 ` [syzbot] " syzbot
2024-08-13 1:16 ` syzbot
2024-08-13 3:21 ` syzbot
2024-09-18 9:05 ` Jeongjun Park
2024-09-18 12:13 ` syzbot
2024-09-18 16:04 ` Jeongjun Park
2024-09-18 16:43 ` syzbot
2024-09-19 12:43 ` Jeongjun Park
2024-09-19 17:34 ` syzbot
2025-12-07 4:29 ` [syzbot] [smc?] " syzbot
2025-12-17 9:39 ` Alexandra Winter
2025-12-16 17:15 ` Forwarded: " syzbot
2025-12-17 8:18 ` Forwarded: " syzbot
2025-12-22 9:50 ` Forwarded: Re: [PATCH net] net/smc: Initialize smc hashtables before registering users syzbot
[not found] <20240812092841.3289430-1-lizhi.xu@windriver.com>
2024-08-12 19:49 ` [syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto syzbot
[not found] <150BE896-1707-44C5-B741-C9F42F712269@gmail.com>
2024-08-13 1:22 ` syzbot
[not found] <20240813032139.161994-1-aha310510@gmail.com>
2024-08-13 3:58 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).