From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8F5F41B355 for ; Tue, 30 Jun 2026 18:32:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782844361; cv=none; b=L6Aqyozei2ERqj1EV1sJjGLZ4OTqyRPIGcBmeOIUpJZle1iaQLf3zqGJXlf09zdA2ZDQqzraens3zCWrbThVEziO0/ivtK3/OkYbXWgfHS/o06jZ8bU9my6LA1wXKkiMQcZVfkEpdYdXmJAdh73gw/5kKO0W6P4KZvCVkSwhd1o= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782844361; c=relaxed/simple; bh=5Od4tPA34zuwjf1KGQ2k1v3lZ1T6yJzidW15RO8rEM4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=P0CJOJFiZzR/5iUldu/9O5qc3YUK4FZwdgiqRhk7ndXL1+WkCj2zD9kzYznAHYHQIT7QEeRrNtbfuEMB4am0ZG3BW25+MSUJm3pbAKoagwFNa3iVw8aMbpC8qqZsypTH59XSN6UJAy3D7ufmQlqke0x22QPdfqeyfcKrn6gvhsA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=asu.edu; spf=pass smtp.mailfrom=asu.edu; dkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu header.b=tFbh9655; arc=none smtp.client-ip=209.85.216.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=asu.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=asu.edu Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=asu.edu header.i=@asu.edu header.b="tFbh9655" Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-37ffdc718f8so1423453a91.0 for ; Tue, 30 Jun 2026 11:32:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=asu.edu; s=google; t=1782844359; x=1783449159; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=MYn0JIP6L7e0faYWM+K1qf/n2ARh502nuelJ3kEZbss=; b=tFbh9655AW3jes2NpJpymBIUAFZVKq0zghP1xe/6eA1hkeolGFyND8fugRV85CQG96 pWQGmvc0CMzMVmVkM8zhmLZkaAy+HzczTVagbI0k/d3m5okCMARDne9VznxGmcLP5m6M Kzp9uT4pgPg8uKZOd8hMpOK34pux8+A55PGujVhwya3SuD3ZRrN+pS3jpEy1oqoVkszT ntjPJOhiWWOa7qb321PA5clYUHxTT+rU38hdNGFQJYH32yNndNBqM6pa5OPTTtI8bvDe scrVM23I4XU8DPgY9YLbuEAbcgisDeYSv/aTvZg8FlD23efSMqm0tGL2R+VKtGHLT+Ly ckTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782844359; x=1783449159; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MYn0JIP6L7e0faYWM+K1qf/n2ARh502nuelJ3kEZbss=; b=hyRdWDkVbAaY8HqWXTf/hjsw9Bb+BkWSxfomWPdpzRl1m0B0q9hqOpYbwLwPGXj4Lj YjWJve55Z/62IJjqU9Z3fKjAAOqWZc4ads4EMescpBHSViDDsNRP5UWUQ2YsZU9ddID4 yucyLw9VVwClyQ+dHJ1FElz0aFqIpxdbyCrpK2wvgIxHEFOtcHaiuvnYumP4Fy/QsjWm 6VAaKIyUDBsWYiY5DMM15X4zyyZCoChKwMx16qQp5xc00Sj8ktPIy+dE/2NNqVAO250V NvCGel2PIxdBgGXVie/Yavv6IyRQsx0UdqDa0XM0xYqKvRMlfF4tGwVj9unXIY13c5KS ro2A== X-Forwarded-Encrypted: i=1; AHgh+RpeTAOBH0BssaLZdRGBYUYWB1WI/cMpg6/B5BBEmGbg6QFtbP8lGZjf0FdRsUEq54OXxUHEdPs=@vger.kernel.org X-Gm-Message-State: AOJu0YwKiuKlsznQV4DBEClxZPsGPYuVAB5Z96iLZWuoXh8qTN/lF+K/ IzHeMNhkCEiNRThGlJP9BUXaiNPasVRp7tf0DCzir/DmKEcZ0NhsDQlbNNAzBaeXHA== X-Gm-Gg: AfdE7cnucMixZZErLAUFNuYlonqxrhMRjoRzpWKJ4xWOlC5Y50UuD+vGObGIHfzWQmm 4g4N6TlmhYJqb7M/54Cq8uro1bZUaKHWnP39OepOtuRpa6dK8juBs1or6i+8rywspE3krpYB2ZY mb10lUSmDOUi6YJ2K0DaDalo9+j5aR+/5kvLAUdLkjUpAkMQw1pwspPw7IHsi0yNRcwzGnPKewd T9WqyINDH3WZMies3dv3INGmmAxBBJ9XVNm3CV1KnvoVXVROzPANBDet43n13hivlZ3YHE9UWPF sfcqxN6zzTxKHb06orLGULX5iksBoIOqcc4UV77OvpLXaHDNJjdhDZ/EXGHl6SOHYYHEaiNclAo ORqBgbW9b2rlFBa0Klyx/zfEJR+EK/SMcUtUCO2p0e7PNCFNZv9cT3J6DzhZfQx9o68P72FtqnQ == X-Received: by 2002:a17:90b:4985:b0:37f:fdc8:71b4 with SMTP id 98e67ed59e1d1-3805252ef0emr3199432a91.2.1782844358846; Tue, 30 Jun 2026 11:32:38 -0700 (PDT) Received: from p1.. ([2607:fb90:ec8c:9d53:ddf7:b69f:b5ae:d529]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-38095d4c263sm387317a91.3.2026.06.30.11.32.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jun 2026 11:32:38 -0700 (PDT) From: Xiang Mei To: Sidraya Jayagond , "D . Wythe" , Dust Li , Wenjia Zhang , Mahanta Jambigi , Tony Lu , Wen Gu , netdev@vger.kernel.org Cc: "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Hans Wippel , linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org, Weiming Shi , Xiang Mei Subject: [PATCH net v2] net/smc: fix UAF in smc_cdc_rx_handler() by pinning the socket Date: Tue, 30 Jun 2026 11:32:27 -0700 Message-ID: <20260630183227.2044998-1-xmei5@asu.edu> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit smc_cdc_rx_handler() looks up the connection by token under the link group's conns_lock, drops the lock, and then dereferences conn and the smc_sock derived from it, ending in sock_hold(&smc->sk) inside smc_cdc_msg_recv(). No reference is held across the lock release. The only reference pinning the socket while the connection is discoverable in the link group is taken in smc_lgr_register_conn() (sock_hold) and dropped in __smc_lgr_unregister_conn() (sock_put), both under conns_lock. Once the handler drops conns_lock, a concurrent close() -> smc_release() -> smc_conn_free() -> smc_lgr_unregister_conn() can drop that reference and free the smc_sock, so the handler's later sock_hold() runs on freed memory: WARNING: lib/refcount.c:25 at refcount_warn_saturate Workqueue: rxe_wq do_work refcount_warn_saturate (lib/refcount.c:25) smc_cdc_msg_recv (net/smc/smc_cdc.c:430) smc_cdc_rx_handler (net/smc/smc_cdc.c:502) smc_wr_rx_tasklet_fn (net/smc/smc_wr.c:445) tasklet_action_common (kernel/softirq.c:938) handle_softirqs (kernel/softirq.c:622) Kernel panic - not syncing: panic_on_warn set Only SMC-R is affected. The SMC-D receive tasklet is stopped by tasklet_kill(&conn->rx_tsklet) in smc_conn_free() before the connection is unregistered, so it cannot run concurrently with the free. Take the socket reference while still holding conns_lock, so the registration reference can no longer be the last one, and drop it once the handler is done. Fixes: d7b0e37c1ac1 ("net/smc: restructure CDC message reception") Reported-by: Weiming Shi Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Xiang Mei --- v2: - Take the reference under conns_lock, and compute smc once - Initialize smc = NULL at declaration net/smc/smc_cdc.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c index 619b3bab3824..32d6d03df321 100644 --- a/net/smc/smc_cdc.c +++ b/net/smc/smc_cdc.c @@ -470,9 +470,9 @@ static void smc_cdc_rx_handler(struct ib_wc *wc, void *buf) { struct smc_link *link = (struct smc_link *)wc->qp->qp_context; struct smc_cdc_msg *cdc = buf; + struct smc_sock *smc = NULL; struct smc_connection *conn; struct smc_link_group *lgr; - struct smc_sock *smc; if (wc->byte_len < offsetof(struct smc_cdc_msg, reserved)) return; /* short message */ @@ -483,21 +483,26 @@ static void smc_cdc_rx_handler(struct ib_wc *wc, void *buf) lgr = smc_get_lgr(link); read_lock_bh(&lgr->conns_lock); conn = smc_lgr_find_conn(ntohl(cdc->token), lgr); - read_unlock_bh(&lgr->conns_lock); - if (!conn || conn->out_of_sync) + if (!conn || conn->out_of_sync) { + read_unlock_bh(&lgr->conns_lock); return; + } smc = container_of(conn, struct smc_sock, conn); + sock_hold(&smc->sk); + read_unlock_bh(&lgr->conns_lock); if (cdc->prod_flags.failover_validation) { smc_cdc_msg_validate(smc, cdc, link); - return; + goto out; } if (smc_cdc_before(ntohs(cdc->seqno), conn->local_rx_ctrl.seqno)) /* received seqno is old */ - return; + goto out; smc_cdc_msg_recv(smc, cdc); +out: + sock_put(&smc->sk); } static struct smc_wr_rx_handler smc_cdc_rx_handlers[] = { -- 2.43.0