Re: [PATCH net v5] net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()

Next message: Pasha Tatashin: "[PATCH 0/6] liveupdate: Fix module unloading and unregister API"
Previous message: Daniel Almeida: "Re: [RFC PATCH 02/12] drm/dep: Add DRM dependency queue layer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Mon Mar 16 2026 - 22:50:52 EST

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@xxxxxxxxxx>:

On Thu, 12 Mar 2026 17:29:07 +0800 you wrote:
> From: Jiayuan Chen <jiayuan.chen@xxxxxxxxxx>
>
> Syzkaller reported a panic in smc_tcp_syn_recv_sock() [1].
>
> smc_tcp_syn_recv_sock() is called in the TCP receive path
> (softirq) via icsk_af_ops->syn_recv_sock on the clcsock (TCP
> listening socket). It reads sk_user_data to get the smc_sock
> pointer. However, when the SMC listen socket is being closed
> concurrently, smc_close_active() sets clcsock->sk_user_data
> to NULL under sk_callback_lock, and then the smc_sock itself
> can be freed via sock_put() in smc_release().
>
> [...]

Here is the summary with links:
- [net,v5] net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
https://git.kernel.org/netdev/net/c/6d5e4538364b

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html