[PATCH] net/smc: fix NULL pointer dereference in smc_tcp_syn_recv_sock

[PATCH] net/smc: fix NULL pointer dereference in smc_tcp_syn_recv_sock

[bsdhenrymartin]

From: Henry Martin <bsdhenrymartin@gmail.com>

smc_tcp_syn_recv_sock() gets the SMC listener through
smc_clcsock_user_data(sk), but then dereferences it unconditionally.

During concurrent teardown, sk_user_data can already be cleared while the
hooked syn_recv_sock path is still reached, leaving smc as NULL. This
causes a NULL pointer dereference at atomic_read(&smc->queued_smc_hs).

==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:82 [inline]
BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: null-ptr-deref in smc_tcp_syn_recv_sock+0xae/0x485 net/smc/af_smc.c:136
Read of size 4 at addr 00000000000006c0 by task syz.0.22477/59456

CPU: 0 UID: 0 PID: 59456 Comm: syz.0.22477 Not tainted 7.0.0-rc3 #1 PREEMPT(lazy) 
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xad/0xf9 lib/dump_stack.c:120
 print_report+0x4c3/0x4d6 mm/kasan/report.c:485
 kasan_report+0xb3/0xe2 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:186 [inline]
 kasan_check_range+0x36/0x169 mm/kasan/generic.c:200
 __kasan_check_read+0x15/0x1b mm/kasan/shadow.c:31
 instrument_atomic_read include/linux/instrumented.h:82 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
 smc_tcp_syn_recv_sock+0xae/0x485 net/smc/af_smc.c:136
 tcp_check_req+0x1713/0x1c6a net/ipv4/tcp_minisocks.c:927
 tcp_v6_rcv+0x11ca/0x22f7 net/ipv6/tcp_ipv6.c:1786
 ip6_protocol_deliver_rcu+0x380/0xd23 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x32f/0x343 net/ipv6/ip6_input.c:489
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK.constprop.0+0x160/0x1aa include/linux/netfilter.h:312
 ip6_input+0x83/0x98 net/ipv6/ip6_input.c:500
 dst_input+0x72/0xb4 include/net/dst.h:480
 ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
 ip6_rcv_finish+0x3b/0x50 net/ipv6/ip6_input.c:69
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK.constprop.0+0x160/0x1aa include/linux/netfilter.h:312
 ipv6_rcv+0xa5/0xbe net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core+0x146/0x1d9 net/core/dev.c:6164
 __netif_receive_skb+0xee/0x102 net/core/dev.c:6277
 process_backlog+0xf9/0x37f net/core/dev.c:6628
 __napi_poll.constprop.0+0xbc/0x361 net/core/dev.c:7692
 napi_poll net/core/dev.c:7755 [inline]
 net_rx_action+0x47f/0x974 net/core/dev.c:7912
 handle_softirqs+0x21c/0x488 kernel/softirq.c:622
 __do_softirq+0x14/0x1a kernel/softirq.c:656
 do_softirq kernel/softirq.c:523 [inline]
 do_softirq+0x50/0x71 kernel/softirq.c:510
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x46/0x62 kernel/softirq.c:450
 local_bh_enable+0x1a/0x20 include/linux/bottom_half.h:33
 rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
 __dev_queue_xmit+0x1c6a/0x1cca net/core/dev.c:4873
 dev_queue_xmit include/linux/netdevice.h:3384 [inline]
 neigh_hh_output include/net/neighbour.h:540 [inline]
 neigh_output include/net/neighbour.h:554 [inline]
 ip6_finish_output2+0x1189/0x11e2 net/ipv6/ip6_output.c:136
 __ip6_finish_output+0x3f6/0x430 net/ipv6/ip6_output.c:208
 ip6_finish_output net/ipv6/ip6_output.c:219 [inline]
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x25f/0x2c9 net/ipv6/ip6_output.c:246
 dst_output+0x84/0xd6 include/net/dst.h:470
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK.constprop.0+0x76/0x94 include/linux/netfilter.h:312
 ip6_xmit+0xc0b/0xd41 net/ipv6/ip6_output.c:358
 inet6_csk_xmit+0x326/0x34c net/ipv6/inet6_connection_sock.c:115
 __tcp_transmit_skb+0x2e73/0x326b net/ipv4/tcp_output.c:1693
 __tcp_send_ack net/ipv4/tcp_output.c:4503 [inline]
 __tcp_send_ack+0x3a3/0x3b8 net/ipv4/tcp_output.c:4464
 tcp_send_ack_reflect_ect+0x122/0x12d net/ipv4/tcp_input.c:4038
 tcp_rcv_synsent_state_process net/ipv4/tcp_input.c:7021 [inline]
 tcp_rcv_state_process+0x19e9/0x390d net/ipv4/tcp_input.c:7215
 tcp_v6_do_rcv+0x7b8/0xdca net/ipv6/tcp_ipv6.c:1616
 sk_backlog_rcv+0xba/0x104 include/net/sock.h:1185
 __release_sock+0xea/0x181 net/core/sock.c:3213
 release_sock+0x62/0x188 net/core/sock.c:3795
 inet_wait_for_connect net/ipv4/af_inet.c:611 [inline]
 __inet_stream_connect+0x791/0xae8 net/ipv4/af_inet.c:705
 inet_stream_connect+0x66/0xa2 net/ipv4/af_inet.c:750
 kernel_connect+0x102/0x13e net/socket.c:3634
 smc_connect+0x3b3/0x54c net/smc/af_smc.c:1699
 __sys_connect_file+0x15e/0x177 net/socket.c:2089
 __sys_connect+0xf5/0x14a net/socket.c:2108
 __do_sys_connect net/socket.c:2114 [inline]
 __se_sys_connect net/socket.c:2111 [inline]
 __x64_sys_connect+0x8d/0x9a net/socket.c:2111
 x64_sys_call+0x27d/0x2105 arch/x86/include/generated/asm/syscalls_64.h:43
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x1b3/0x420 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc7601a576d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc761151018 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007fc760425fa0 RCX: 00007fc7601a576d
RDX: 000000000000001c RSI: 0000200000000000 RDI: 0000000000000004
RBP: 00007fc76024c5fe R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc760426038 R14: 00007fc760425fa0 R15: 00007fc76054f900
 </TASK>
==================================================================

Fix it by checking smc before accessing queued_smc_hs and dropping the
request when the SMC context is gone.

This issue was co-discovered by Wu Yangyang.

Fixes: 8270d9c21041 ("net/smc: Limit backlog connections")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
---
 net/smc/af_smc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index d0119afcc6a1..bb8966eeb332 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -132,6 +132,8 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
 	struct sock *child;
 
 	smc = smc_clcsock_user_data(sk);
+	if (!smc)
+		goto drop;
 
 	if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
 				sk->sk_max_ack_backlog)
-- 
2.43.0

Re: [PATCH] net/smc: fix NULL pointer dereference in smc_tcp_syn_recv_sock

[Eric Dumazet]

On Fri, Mar 13, 2026 at 4:16 PM <bsdhenrymartin@gmail.com> wrote:
>
> From: Henry Martin <bsdhenrymartin@gmail.com>
>
> smc_tcp_syn_recv_sock() gets the SMC listener through
> smc_clcsock_user_data(sk), but then dereferences it unconditionally.
>
> During concurrent teardown, sk_user_data can already be cleared while the
> hooked syn_recv_sock path is still reached, leaving smc as NULL. This
> causes a NULL pointer dereference at atomic_read(&smc->queued_smc_hs).

https://lkml.org/lkml/2026/3/11/173