syztest

From: Arnaud Lecomte
Date: Sun Jun 29 2025 - 09:35:26 EST

Next message: Lukas Wunner: "Re: [PATCH RFC] pci: report surprise removal events"
Previous message: Alan Stern: "Re: [PATCH] usb: gadget: m66592-udc: Ignore feature requests for EP0"
Next in thread: syzbot: "Re: [syzbot] [smc?] KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz test

--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -123,11 +123,14 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
struct request_sock *req_unhash,
bool *own_req)
{
+ read_lock_bh(&((struct sock *)sk)->sk_callback_lock);
struct smc_sock *smc;
struct sock *child;
-
smc = smc_clcsock_user_data(sk);

+ if (!smc)
+ goto drop;
+
if (READ_ONCE(sk->sk_ack_backlog) + atomic_read(&smc->queued_smc_hs) >
sk->sk_max_ack_backlog)
goto drop;
@@ -148,9 +151,11 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
}
+ read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
return child;

drop:
+ read_unlock_bh(&((struct sock *)sk)->sk_callback_lock);
dst_release(dst);
tcp_listendrop(sk);
return NULL;
@@ -2613,7 +2618,7 @@ int smc_listen(struct socket *sock, int backlog)
int rc;

smc = smc_sk(sk);
- lock_sock(sk);
+ lock_sock(sock->sk);

rc = -EINVAL;
if ((sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) ||
--
2.43.0

Next message: Lukas Wunner: "Re: [PATCH RFC] pci: report surprise removal events"
Previous message: Alan Stern: "Re: [PATCH] usb: gadget: m66592-udc: Ignore feature requests for EP0"
Next in thread: syzbot: "Re: [syzbot] [smc?] KASAN: null-ptr-deref Read in smc_tcp_syn_recv_sock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]