From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-182.mta0.migadu.com (out-182.mta0.migadu.com [91.218.175.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6526A371D15 for ; Mon, 22 Jun 2026 12:11:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782130307; cv=none; b=imM5Zwz45A7TcsZ9vxw4jK8buICuyN/6QwFSZ9vRdFtSrTqg01GwC8RQctY7Oe5IHfgKh92lgzA2oAF2rKbkh1Fi/sqzNwYj7CYe3ntp+UVH4mf/ijwlnFMWtmHHyPBWZNsHNk7JRpYcSIY7XY3zfnPuTYs4uYmHA45ymS5RNvw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782130307; c=relaxed/simple; bh=uI9WSwGdTMzaYZwGXdMkLBdsUPtjO9nKT9rYVMurqdE=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=LB2wifp+t/ez9tpHmEfdakxz+e4/fcTcOUE+AGId/ZmGwW5UTn+Bd51Bst7dRANG9+kdTmuLHBWgUBHWZERbNxG45qVEjh0tMQXPMe5/As/XFk3yfC9HKiL3LGxnvdERfWFzppMpPOPa0ZYNQ6o5LBTgSQYRuE9yN1Vne9cIn0s= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=R+vfs/AP; arc=none smtp.client-ip=91.218.175.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="R+vfs/AP" Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1782130302; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uI9WSwGdTMzaYZwGXdMkLBdsUPtjO9nKT9rYVMurqdE=; b=R+vfs/APkw56WxPlHUP9pOnikZM/+VP385Li7WJH+0GsIXnOEaH6WMWDDmTXCqMXr5tZiC ad18cj1BZWPwe0flcezNw+u+Rs3KqzRUXvN37Hhuhc3UvYM8dvOj7jQPaLUfP8jGUhDoEr B7gULN7GyoAF3toQbAALxhEOzjLh7MM= Date: Mon, 22 Jun 2026 20:11:30 +0800 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH net v2] net/smc: fix out-of-bounds read when sk_user_data holds a sk_psock To: Sechang Lim , "D . Wythe" , Dust Li , Sidraya Jayagond , Wenjia Zhang , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Mahanta Jambigi , Tony Lu , Wen Gu , Simon Horman , Ursula Braun , Karsten Graul , Guvenc Gulce , linux-rdma@vger.kernel.org, linux-s390@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org References: <20260619150342.3626224-1-rhkrqnwk98@gmail.com> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Jiayuan Chen In-Reply-To: <20260619150342.3626224-1-rhkrqnwk98@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 6/19/26 11:03 PM, Sechang Lim wrote: > SMC stores its smc_sock in the clcsock's sk_user_data tagged > SK_USER_DATA_NOCOPY and reads it back with smc_clcsock_user_data(), which > only strips that flag. sockmap stores a sk_psock in the same field tagged > SK_USER_DATA_NOCOPY | SK_USER_DATA_PSOCK. Nothing keeps both off one > socket, and SMC then casts the sk_psock to an smc_sock. How about SK_USER_DATA_BPF