Re: [PATCH net v3] net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Eric Dumazet <edumazet@google.com>
Cc: netdev@vger.kernel.org, Jiayuan Chen <jiayuan.chen@shopee.com>,
	syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com,
	"D. Wythe" <alibuda@linux.alibaba.com>,
	Dust Li <dust.li@linux.alibaba.com>,
	Sidraya Jayagond <sidraya@linux.ibm.com>,
	Wenjia Zhang <wenjia@linux.ibm.com>,
	Mahanta Jambigi <mjambigi@linux.ibm.com>,
	Tony Lu <tonylu@linux.alibaba.com>,
	Wen Gu <guwen@linux.alibaba.com>,
	"David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH net v3] net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
Date: Tue, 10 Mar 2026 20:38:10 +0800	[thread overview]
Message-ID: <270e708d-cb52-413c-860e-16945ae98012@linux.dev> (raw)
In-Reply-To: <CANn89iK-Kj7Gthff+Q8vSUDTYs9t6YZepm5uAv_2ZZJ4AkyxOw@mail.gmail.com>


On 3/10/26 8:13 PM, Eric Dumazet wrote:
> On Tue, Mar 10, 2026 at 1:01 PM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>> From: Jiayuan Chen <jiayuan.chen@shopee.com>
>>
>> Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].
>>
>> smc_tcp_syn_recv_sock() is called in the TCP receive path
>> (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP
>> listening socket). It reads sk_user_data to get the smc_sock
>> pointer. However, when the SMC listen socket is being closed
>> concurrently, smc_close_active() sets clcsock->sk_user_data
>> to NULL under sk_callback_lock, and then the smc_sock itself
>> can be freed via sock_put() in smc_release().
>>
>> This leads to two issues:
>>
>> 1) NULL pointer dereference: sk_user_data is NULL when
>>     accessed.
>> 2) Use-after-free: sk_user_data is read as non-NULL, but the
>>     smc_sock is freed before its fields (e.g., queued_smc_hs,
>>     ori_af_ops) are accessed.
>>
>> The race window looks like this:
>>
>>    CPU A (softirq)              CPU B (process ctx)
>>
>>    tcp_v4_rcv()
>>      TCP_NEW_SYN_RECV:
>>      sk = req->rsk_listener
>>      sock_hold(sk)
>>      /* No lock on listener */
>>                                 smc_close_active():
>>                                   write_lock_bh(cb_lock)
>>                                   sk_user_data = NULL
>>                                   write_unlock_bh(cb_lock)
>>                                   ...
>>                                   smc_clcsock_release()
>>                                   sock_put(smc->sk) x2
>>                                     -> smc_sock freed!
>>      tcp_check_req()
>>        smc_tcp_syn_recv_sock():
>>          smc = user_data(sk)
>>            -> NULL or dangling
>>          smc->queued_smc_hs
>>            -> crash!
>>
>
>
>> diff --git a/net/smc/smc.h b/net/smc/smc.h
>> index 9e6af72784ba..8b3eabcdb542 100644
>> --- a/net/smc/smc.h
>> +++ b/net/smc/smc.h
>> @@ -342,8 +342,7 @@ static inline void smc_init_saved_callbacks(struct smc_sock *smc)
>>
>>   static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk)
>>   {
>> -       return (struct smc_sock *)
>> -              ((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
>> +       return (struct smc_sock *)rcu_dereference_sk_user_data(clcsk);
>>   }
> Are you sure all smc_clcsock_user_data() callers  hold rcu_read_lock() ?
> In order to avoid surprises, I would have added a new helper.
>
>   static inline struct smc_sock *smc_clcsock_user_data_rcu(const struct
> sock *clcsk)
> ...
>
> to allow gradual conversion ?
>
> Thanks !

Sorry I missed that.

pw-bot: cr

next prev parent reply	other threads:[~2026-03-10 12:38 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-10 12:00 [PATCH net v3] net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() Jiayuan Chen
2026-03-10 12:13 ` Eric Dumazet
2026-03-10 12:38   ` Jiayuan Chen [this message]
2026-03-10 23:15 ` [syzbot ci] " syzbot ci

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=270e708d-cb52-413c-860e-16945ae98012@linux.dev \
    --to=jiayuan.chen@linux.dev \
    --cc=alibuda@linux.alibaba.com \
    --cc=davem@davemloft.net \
    --cc=dust.li@linux.alibaba.com \
    --cc=edumazet@google.com \
    --cc=guwen@linux.alibaba.com \
    --cc=horms@kernel.org \
    --cc=jiayuan.chen@shopee.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=mjambigi@linux.ibm.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sidraya@linux.ibm.com \
    --cc=syzbot+827ae2bfb3a3529333e9@syzkaller.appspotmail.com \
    --cc=tonylu@linux.alibaba.com \
    --cc=wenjia@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox