From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49249211A05
	for <netdev@vger.kernel.org>; Fri, 17 Oct 2025 05:51:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1760680276; cv=none; b=VXqPZfz/sJdw3q0/oygMLjzMzz3Ri24KPopZymAGJVyHdbRI8IyG2XKh2owgfzIfNxXBGFJ4Iqpc4pGvwZk8IIiC1tvMPaMYd8Q4E16z8LqSMvxolJ5K18h8eeJuGmDGjg/p7M+ixTfye7SymBqETUAHAiismdPfxvk4i3Mp6J4=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1760680276; c=relaxed/simple;
	bh=13KaXPPBpbfcG6C8nBRjdaf4oecJDmYDO7c9uepKSiE=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type; b=IAqkl5GyykcA1y3+1W7I5KOaAcxuMw2T4dEo+Jsqn4hHSW0nkAHYc/ukhwYAk7bk69uZfTVSn4UdR38b48/Hy6ED0umU4wUTrcUoOBwlTfjyy2ReRTfG5UjjdxWQ1RINs2gHfgLW3La7bD4KGndRzE68V2GEE/iZR5/PCT0sjWs=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--kuniyu.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=leproxXA; arc=none smtp.client-ip=209.85.216.74
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--kuniyu.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="leproxXA"
Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-33428befc49so2617053a91.0
        for <netdev@vger.kernel.org>; Thu, 16 Oct 2025 22:51:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1760680274; x=1761285074; darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=+ehYGuUNYau4pdQan1QOF5/3bIPq29aJSlHS/4iCE5o=;
        b=leproxXArdzVgcOAox240/ISo8GzS2a9RUTRCqJ7mEQ43Wyo2yAZSusg3tScp5mOGD
         Y1pO83PYtShvug1kou5dlutUOtuKw8HNdO1kTKaL6iP4uK4gc9RQRYX8cRtNgO2FN4V+
         fzXGSoQvO3I5A7arscY+fj13hWp+Wv7CEOzPPTcGnKLM2HTYMPiGVLDpwNu93eU/iZdu
         1zXwBy0VwsaCmHacWIjokno5ttLWyQPUEQ2OriBXsuCzWgU5r8TKMb2oBvJleW0Jimxi
         6f8NOhPPaRk5gyLkI2Q9sn2gOeV1mxq733Mf9VYT5SwWMVzJ+b9JV7GwKjZfb7oIy9fK
         k2VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760680274; x=1761285074;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=+ehYGuUNYau4pdQan1QOF5/3bIPq29aJSlHS/4iCE5o=;
        b=s2dyyMPOn3v/7wXV42FMu5s8cJV4d74khWAhar9JhS8U8PSG+pkG/+WlzFJDfl4ZDB
         lIgXYNJhCMQMoumQ6IK5B9eJ8AQq7Ill02+4+m0F1e/p//lCyDGpR5Vc1bWoWP9FtbmE
         BSEhNp9HRig3Lowcn35pbgV2UYYNwYuwlE5C9DQLCt+VUcIJItocmJJ4U91HUGAyRusJ
         c5ioObQdxx3Qb7qmvPOuWdcCG859Mo7GTY97j7KVk+WY44VKe/QROn+0Z55zoYG3Uu1k
         L27g9tjYB4x1TydnXXi7PkeRFrZzcmIXwLS0XaTHSwcIPWebVB0oJQFoaOiDWOZw7YS/
         y/oA==
X-Forwarded-Encrypted: i=1; AJvYcCVmqxXirBe0A5Iy7jExlW+QJcdr2CJxZmdFcXqfYllf/1+zyaBqDDZFbeuQRYgNfQbFB65vy6s=@vger.kernel.org
X-Gm-Message-State: AOJu0YxVx1vCM32nhChSBKu6yakktoNjkxSraWLnM3xyOaS7gJs69Goy
	on+ffxGjD0xs3i/gupC9i2sXVzXxaGBNDdrOnFNO0rgNcoHJxSxuq2hKmucMCIF5hJ8X5iMXDZj
	PM+kteA==
X-Google-Smtp-Source: AGHT+IF/lzWram1mWybPkde6TISe124U50FS51hqLQw7Zc7FZYIDpxH+DNi5gWGs/h3xtwwt9cS60OYOz6I=
X-Received: from pjbse5.prod.google.com ([2002:a17:90b:5185:b0:33b:51fe:1a88])
 (user=kuniyu job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:1dc4:b0:32e:716d:4d2b
 with SMTP id 98e67ed59e1d1-33bc9b77638mr3445872a91.3.1760680273652; Thu, 16
 Oct 2025 22:51:13 -0700 (PDT)
Date: Fri, 17 Oct 2025 05:48:50 +0000
In-Reply-To: <20251017024827.3137512-1-wangliang74@huawei.com>
Precedence: bulk
X-Mailing-List: netdev@vger.kernel.org
List-Id: <netdev.vger.kernel.org>
List-Subscribe: <mailto:netdev+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netdev+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20251017024827.3137512-1-wangliang74@huawei.com>
X-Mailer: git-send-email 2.51.0.858.gf9c4a03a3a-goog
Message-ID: <20251017055106.3603987-1-kuniyu@google.com>
Subject: Re: [PATCH net v2] net/smc: fix general protection fault in __smc_diag_dump
From: Kuniyuki Iwashima <kuniyu@google.com>
To: wangliang74@huawei.com
Cc: alibuda@linux.alibaba.com, davem@davemloft.net, dust.li@linux.alibaba.com, 
	edumazet@google.com, guwen@linux.alibaba.com, horms@kernel.org, 
	kuba@kernel.org, linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, 
	linux-s390@vger.kernel.org, mjambigi@linux.ibm.com, netdev@vger.kernel.org, 
	pabeni@redhat.com, sidraya@linux.ibm.com, tonylu@linux.alibaba.com, 
	wenjia@linux.ibm.com, yuehaibing@huawei.com, zhangchangzhong@huawei.com, 
	Kuniyuki Iwashima <kuniyu@google.com>
Content-Type: text/plain; charset="UTF-8"

From: Wang Liang <wangliang74@huawei.com>
Date: Fri, 17 Oct 2025 10:48:27 +0800
> The syzbot report a crash:
> 
>   Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI
>   KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]
>   CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)
>   Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
>   RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
>   RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89
>   Call Trace:
>    <TASK>
>    smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217
>    smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234
>    netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327
>    __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442
>    netlink_dump_start include/linux/netlink.h:341 [inline]
>    smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251
>    __sock_diag_cmd net/core/sock_diag.c:249 [inline]
>    sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285
>    netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
>    netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
>    netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346
>    netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
>    sock_sendmsg_nosec net/socket.c:714 [inline]
>    __sock_sendmsg net/socket.c:729 [inline]
>    ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614
>    ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668
>    __sys_sendmsg+0x16d/0x220 net/socket.c:2700
>    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>    do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
>    entry_SYSCALL_64_after_hwframe+0x77/0x7f
>    </TASK>
> 
> The process like this:
> 
>                (CPU1)              |             (CPU2)
>   ---------------------------------|-------------------------------
>   inet_create()                    |
>     // init clcsock to NULL        |
>     sk = sk_alloc()                |
>                                    |
>     // unexpectedly change clcsock |
>     inet_init_csk_locks()          |
>                                    |
>     // add sk to hash table        |
>     smc_inet_init_sock()           |
>       smc_sk_init()                |
>         smc_hash_sk()              |
>                                    | // traverse the hash table
>                                    | smc_diag_dump_proto
>                                    |   __smc_diag_dump()
>                                    |     // visit wrong clcsock
>                                    |     smc_diag_msg_common_fill()
>     // alloc clcsock               |
>     smc_create_clcsk               |
>       sock_create_kern             |
> 
> With CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed
> in inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,
> just remove it.
> 
> After removing the INET_PROTOSW_ICSK flag, this patch alse revert
> commit 6fd27ea183c2 ("net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC")
> to avoid casting smc_sock to inet_connection_sock.
> 
> Reported-by: syzbot+f775be4458668f7d220e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=f775be4458668f7d220e
> Tested-by: syzbot+f775be4458668f7d220e@syzkaller.appspotmail.com

nit: looks like this diff is not tested by syzbot, you may
want to send diff to syzbot.


> Fixes: d25a92ccae6b ("net/smc: Introduce IPPROTO_SMC")
> Signed-off-by: Wang Liang <wangliang74@huawei.com>

Change itself looks good.

Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>

Thanks!