[PATCH net 1/1] net/smc: avoid early lgr access in smc_clc_wait_msg

[PATCH net 1/1] net/smc: avoid early lgr access in smc_clc_wait_msg

[Ren Wei]

From: Ruijie Li <ruijieli51@gmail.com>

A CLC decline can be received while the handshake is still in an early
stage, before the connection has been associated with a link group.

The decline handling in smc_clc_wait_msg() updates link-group level sync
state for first-contact declines, but that state only exists after link
group setup has completed. Guard the link-group update accordingly and
keep the per-socket peer diagnosis handling unchanged.

This preserves the existing sync_err handling for established link-group
contexts and avoids touching link-group state before it is available.

Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/smc/smc_clc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index c38fc7bf0a7e..014d527d5462 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -788,8 +788,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
 		dclc = (struct smc_clc_msg_decline *)clcm;
 		reason_code = SMC_CLC_DECL_PEERDECL;
 		smc->peer_diagnosis = ntohl(dclc->peer_diagnosis);
-		if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 &
-						SMC_FIRST_CONTACT_MASK) {
+		if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) &&
+		    smc->conn.lgr) {
 			smc->conn.lgr->sync_err = 1;
 			smc_lgr_terminate_sched(smc->conn.lgr);
 		}
-- 
2.34.1

Re: [PATCH net 1/1] net/smc: avoid early lgr access in smc_clc_wait_msg

[Dust Li]

On 2026-04-22 23:40:18, Ren Wei wrote:
>From: Ruijie Li <ruijieli51@gmail.com>
>
>A CLC decline can be received while the handshake is still in an early
>stage, before the connection has been associated with a link group.
>
>The decline handling in smc_clc_wait_msg() updates link-group level sync
>state for first-contact declines, but that state only exists after link
>group setup has completed. Guard the link-group update accordingly and
>keep the per-socket peer diagnosis handling unchanged.
>
>This preserves the existing sync_err handling for established link-group
>contexts and avoids touching link-group state before it is available.
>
>Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
>Cc: stable@kernel.org
>Reported-by: Yuan Tan <yuantan098@gmail.com>
>Reported-by: Yifan Wu <yifanwucs@gmail.com>
>Reported-by: Juefei Pu <tomapufckgml@gmail.com>
>Reported-by: Xin Liu <bird@lzu.edu.cn>
>Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
>Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>


Reviewed-by: Dust Li <dust.li@linux.alibaba.com>

Best regards,
Dust

>---
> net/smc/smc_clc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
>index c38fc7bf0a7e..014d527d5462 100644
>--- a/net/smc/smc_clc.c
>+++ b/net/smc/smc_clc.c
>@@ -788,8 +788,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
> 		dclc = (struct smc_clc_msg_decline *)clcm;
> 		reason_code = SMC_CLC_DECL_PEERDECL;
> 		smc->peer_diagnosis = ntohl(dclc->peer_diagnosis);
>-		if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 &
>-						SMC_FIRST_CONTACT_MASK) {
>+		if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) &&
>+		    smc->conn.lgr) {
> 			smc->conn.lgr->sync_err = 1;
> 			smc_lgr_terminate_sched(smc->conn.lgr);
> 		}
>-- 
>2.34.1