From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-183.mta0.migadu.com (out-183.mta0.migadu.com [91.218.175.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 307B61E9B1A for ; Sat, 7 Mar 2026 03:22:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.183 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772853743; cv=none; b=juag/OkVHT6UACfh9Qm3vzEDpFrM/AouEhQz5xVvNuhzKMU+t/IgA7f6N5QTzzgekoYWD351tJHoCIwF1bcj9lMXOkA+5XacFhiDlIqtD0n+s+pNvBB2SANZ4p8m4xmbwxv3aBhy2rYkMFo97X7JF4DAzinxt+vEpg5H627u4fM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772853743; c=relaxed/simple; bh=VQwpztTD6X2+N2GcGFC+cfF0qdSug6p/2KKpCFyCe7Q=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=t+di/09aWp01xRP484l+gyOv/fFT2UJQ5ad6AP6gmUDpGP6uUk5vwuO6Syxi+6r91WWHiaX4tnFWZkYADVxtZX5LdZ1t99Nypk5Cv5Fif+URZ/m/lrZ3EBCPpDBnSCUuHK1GWHWCsD+k7WxyTQGIU3N1Q8OocPq6jQH9y+Ey51o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=HcKoFVbR; arc=none smtp.client-ip=91.218.175.183 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="HcKoFVbR" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772853730; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=QJBoqx1LHyd0/cvODH/iQXRMAkmqnF6l6wgjSb0JHZ0=; b=HcKoFVbRz57KHwAFkUutc+hPS9luMCnbkUmROaaPHfjaWWJT8en1f2qNtW+m4hW3QcRzWM rVQ0BYBLCZMYOXnAPaGh0JxjUiEyxo7rR3d6B4Lf6av/sd/rgct5SFnTL/qs2VKdzgS0Tk SQrOt6mUH9I0UsUi2khhjwpHggm06n8= From: Jiayuan Chen To: netdev@vger.kernel.org Cc: Jiayuan Chen , syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com, "D. Wythe" , Dust Li , Sidraya Jayagond , Wenjia Zhang , Mahanta Jambigi , Tony Lu , Wen Gu , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net v1] net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Date: Sat, 7 Mar 2026 11:21:57 +0800 Message-ID: <20260307032158.372165-1-jiayuan.chen@linux.dev> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1]. smc_tcp_syn_recv_sock() is called in the TCP receive path (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP listening socket). It reads sk_user_data to get the smc_sock pointer. However, when the SMC listen socket is being closed concurrently, smc_close_active() sets clcsock->sk_user_data to NULL under sk_callback_lock, and then the smc_sock itself can be freed via sock_put() in smc_release(). This leads to two issues: 1) NULL pointer dereference: sk_user_data is NULL when accessed. 2) Use-after-free: sk_user_data is read as non-NULL, but the smc_sock is freed before its fields (e.g., queued_smc_hs, ori_af_ops) are accessed. The race window looks like this: CPU A (softirq) CPU B (process ctx) tcp_v4_rcv() TCP_NEW_SYN_RECV: sk = req->rsk_listener sock_hold(sk) /* No lock on listener */ smc_close_active(): write_lock_bh(cb_lock) sk_user_data = NULL write_unlock_bh(cb_lock) ... smc_clcsock_release() sock_put(smc->sk) x2 -> smc_sock freed! tcp_check_req() smc_tcp_syn_recv_sock(): smc = user_data(sk) -> NULL or dangling smc->queued_smc_hs -> crash! Note that the clcsock and smc_sock are two independent objects with separate refcounts. TCP stack holds a reference on the clcsock, which keeps it alive, but this does NOT prevent the smc_sock from being freed. Fix this by taking sk_callback_lock to read sk_user_data and then sock_hold(&smc->sk) under the lock to pin the smc_sock. The lock is released immediately after sock_hold(), rather than being held for the entire function, to avoid holding it across ori_af_ops->syn_recv_sock() which creates child sockets and could risk deadlocks with nested lock ordering. sock_put(&smc->sk) is called on all exit paths after the hold. [1] https://syzkaller.appspot.com/bug?extid=827ae2bfb3a3529333e9 Fixes: 8270d9c21041 ("net/smc: Limit backlog connections") Reported-by: syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/67eaf9b8.050a0220.3c3d88.004a.GAE@google.com/T/ Signed-off-by: Jiayuan Chen --- net/smc/af_smc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c index d0119afcc6a1..21218b9b0f9a 100644 --- a/net/smc/af_smc.c +++ b/net/smc/af_smc.c @@ -131,7 +131,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, struct smc_sock *smc; struct sock *child; + read_lock_bh(&((struct sock *)sk)->sk_callback_lock); smc = smc_clcsock_user_data(sk); + if (!smc) { + read_unlock_bh(&((struct sock *)sk)->sk_callback_lock); + return NULL; + } + sock_hold(&smc->sk); + read_unlock_bh(&((struct sock *)sk)->sk_callback_lock); if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) > sk->sk_max_ack_backlog) @@ -153,11 +160,13 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk, if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops) inet_csk(child)->icsk_af_ops = smc->ori_af_ops; } + sock_put(&smc->sk); return child; drop: dst_release(dst); tcp_listendrop(sk); + sock_put(&smc->sk); return NULL; } -- 2.43.0