Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp3875813rdb; Thu, 28 Dec 2023 03:03:06 -0800 (PST) X-Google-Smtp-Source: AGHT+IGm4jqTOrtyPCDq4xJZygKMxI7ecvcq5XsrF+0Luara6o1xN7vWDi8Dsa1Zr2D43ZzNCAWt X-Received: by 2002:ad4:5b8b:0:b0:67f:6632:e34b with SMTP id 11-20020ad45b8b000000b0067f6632e34bmr14650284qvp.95.1703761386477; Thu, 28 Dec 2023 03:03:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703761386; cv=none; d=google.com; s=arc-20160816; b=YkRXWVGbzBmMHPJ/Rg7dRdOFyc7TjekBW0RptAZ+jZq6XF36/t+p1VFNHDHTPjvbt3 CS0Q19Ysc+wZvVrna6KqPznUWALfRHe/67w8ecfQXFP74D7pchwYgvrwYhQI/i5G9ULc UA+AW27d8VxfzEg8MdIXW1tOYZIqSp6aqKZLiU5/6zJAmRA9YQQc8UcgvH6+9HdUmpkx gkCZjtItgdeuMGAzpqkw/L3ItzYHP51jR00xeA2FdTr+dn/n/UoYKSLt4wmmS+PFuahr F7hDPgC5n6Ra3Rg5k9wHxB5rJFb4X8EVUyINxklHVki7krN9ziTSXszcerUU1b2dhg6n 5fEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to:subject :user-agent:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:date:message-id; bh=mDIQwIxA0PpEiLASd8sq/cY534THfAC6sNzx6az0MJE=; fh=KHh/BbtaWgPcNCpfMgnshaJgyk9zrecgnicYwAAiKZQ=; b=jpAnyvUaQhPGw+T+fnsYFUODzyq5/2oqaig1ZbAl1eGpBDzNgSm3GkVwH2iIBP08uy p9qS3dZFqpsnjZ1wmIDZnfT+tDyAYM6nwFEyCkaKWGd5y16XSemXOuXYH/McspRAu0jh lPqA0BwGpz1W+YcjMi7FYFwqi3GdZ4k7XPkX7IbKHEowkxmXguJauSEMst6YjbYv2ojm FBSRDNZSU2rBsIxqtLIxY0W2f9xS9KPGHxLOtrOk+4rfmrBCMDUCQT01napEW0vNYo2a Vq0FooVkRJHE4m4W1TZyuEvKKxzk/ZKCA1TuAJZUY629Nuj4mSCbfbXdBqOvbyuRgWaz /X9Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-12602-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-12602-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id gu15-20020a056214260f00b006801adc03a3si7429464qvb.342.2023.12.28.03.03.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Dec 2023 03:03:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-12602-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-12602-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-12602-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3F8D61C22891 for ; Thu, 28 Dec 2023 11:03:06 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 830827498; Thu, 28 Dec 2023 11:02:45 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from out30-119.freemail.mail.aliyun.com (out30-119.freemail.mail.aliyun.com [115.124.30.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C0A56FDF; Thu, 28 Dec 2023 11:02:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R171e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046050;MF=guwen@linux.alibaba.com;NM=1;PH=DS;RN=12;SR=0;TI=SMTPD_---0VzOHWBq_1703761352; Received: from 30.221.131.93(mailfrom:guwen@linux.alibaba.com fp:SMTPD_---0VzOHWBq_1703761352) by smtp.aliyun-inc.com; Thu, 28 Dec 2023 19:02:34 +0800 Message-ID: Date: Thu, 28 Dec 2023 19:02:31 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [PATCH net] net/smc: fix invalid link access in dumping SMC-R connections To: Tony Lu Cc: wenjia@linux.ibm.com, jaka@linux.ibm.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, alibuda@linux.alibaba.com, ubraun@linux.vnet.ibm.com, linux-s390@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <1703662835-53416-1-git-send-email-guwen@linux.alibaba.com> From: Wen Gu In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 2023/12/28 17:32, Tony Lu wrote: > On Wed, Dec 27, 2023 at 03:40:35PM +0800, Wen Gu wrote: >> A crash was found when dumping SMC-R connections. It can be reproduced >> by following steps: >> >> - environment: two RNICs on both sides. >> - run SMC-R between two sides, now a SMC_LGR_SYMMETRIC type link group >> will be created. >> - set the first RNIC down on either side and link group will turn to >> SMC_LGR_ASYMMETRIC_LOCAL then. >> - run 'smcss -R' and the crash will be triggered. >> >> BUG: kernel NULL pointer dereference, address: 0000000000000010 >> #PF: supervisor read access in kernel mode >> #PF: error_code(0x0000) - not-present page >> PGD 8000000101fdd067 P4D 8000000101fdd067 PUD 10ce46067 PMD 0 >> Oops: 0000 [#1] PREEMPT SMP PTI >> CPU: 3 PID: 1810 Comm: smcss Kdump: loaded Tainted: G W E 6.7.0-rc6+ #51 >> RIP: 0010:__smc_diag_dump.constprop.0+0x36e/0x620 [smc_diag] >> Call Trace: >> >> ? __die+0x24/0x70 >> ? page_fault_oops+0x66/0x150 >> ? exc_page_fault+0x69/0x140 >> ? asm_exc_page_fault+0x26/0x30 >> ? __smc_diag_dump.constprop.0+0x36e/0x620 [smc_diag] >> smc_diag_dump_proto+0xd0/0xf0 [smc_diag] >> smc_diag_dump+0x26/0x60 [smc_diag] >> netlink_dump+0x19f/0x320 >> __netlink_dump_start+0x1dc/0x300 >> smc_diag_handler_dump+0x6a/0x80 [smc_diag] >> ? __pfx_smc_diag_dump+0x10/0x10 [smc_diag] >> sock_diag_rcv_msg+0x121/0x140 >> ? __pfx_sock_diag_rcv_msg+0x10/0x10 >> netlink_rcv_skb+0x5a/0x110 >> sock_diag_rcv+0x28/0x40 >> netlink_unicast+0x22a/0x330 >> netlink_sendmsg+0x240/0x4a0 >> __sock_sendmsg+0xb0/0xc0 >> ____sys_sendmsg+0x24e/0x300 >> ? copy_msghdr_from_user+0x62/0x80 >> ___sys_sendmsg+0x7c/0xd0 >> ? __do_fault+0x34/0x1a0 >> ? do_read_fault+0x5f/0x100 >> ? do_fault+0xb0/0x110 >> __sys_sendmsg+0x4d/0x80 >> do_syscall_64+0x45/0xf0 >> entry_SYSCALL_64_after_hwframe+0x6e/0x76 >> >> When the first RNIC is set down, the lgr->lnk[0] will be cleared and an >> asymmetric link will be allocated in lgr->link[SMC_LINKS_PER_LGR_MAX - 1] >> by smc_llc_alloc_alt_link(). Then when we try to dump SMC-R connections >> in __smc_diag_dump(), the invalid lgr->lnk[0] will be accessed, resulting >> in this issue. So fix it by accessing the right link. >> >> Fixes: f16a7dd5cf27 ("smc: netlink interface for SMC sockets") >> Reported-by: henaumars >> Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=7616 > > What about using Link: http... here? > Thank you, Tony. According to [1], " The Reported-by tag gives credit to people who find bugs and report them and it hopefully inspires them to help us again in the future. The tag is intended for bugs; please do not use it to credit feature requests. The tag should be followed by a Closes: tag pointing to the report, unless the report is not available on the web. The Link: tag can be used instead of Closes: if the patch fixes a part of the issue(s) being reported. " So I guess the Closes: tag is fine here. [1] https://docs.kernel.org/process/submitting-patches.html >> Signed-off-by: Wen Gu > > Reviewed-by: Tony Lu > >> --- >> net/smc/smc_diag.c | 3 +-- >> 1 file changed, 1 insertion(+), 2 deletions(-) >> >> diff --git a/net/smc/smc_diag.c b/net/smc/smc_diag.c >> index a584613aca12..5cc376834c57 100644 >> --- a/net/smc/smc_diag.c >> +++ b/net/smc/smc_diag.c >> @@ -153,8 +153,7 @@ static int __smc_diag_dump(struct sock *sk, struct sk_buff *skb, >> .lnk[0].link_id = link->link_id, >> }; >> >> - memcpy(linfo.lnk[0].ibname, >> - smc->conn.lgr->lnk[0].smcibdev->ibdev->name, >> + memcpy(linfo.lnk[0].ibname, link->smcibdev->ibdev->name, >> sizeof(link->smcibdev->ibdev->name)); >> smc_gid_be16_convert(linfo.lnk[0].gid, link->gid); >> smc_gid_be16_convert(linfo.lnk[0].peer_gid, link->peer_gid); >> -- >> 2.43.0