[syzbot] [net?] [s390?] general protection fault in smc_diag_dump_proto

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: d7e78951a8b8 Merge tag 'net-6.11-rc0' of git://git.kernel...
git tree: net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=173cfd3d980000
kernel config: https://syzkaller.appspot.com/x/.config?x=a6f4e2cb79bdcd45
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15900a9d980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1008b645980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b22bae2c3c1/disk-d7e78951.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/37db35e4bb64/vmlinux-d7e78951.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e489cf2c28e/bzImage-d7e78951.xz

Bisection is inconclusive: the first bad commit could be any of:

5bcd9a0a5995 wifi: brcm80211: remove unused structs
f29dcae96ec8 Merge tag 'rtw-next-2024-06-04' of https://github.com/pkshih/rtw

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17196f19980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f69bfa...@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 PID: 6338 Comm: syz-executor175 Not tainted 6.10.0-syzkaller-09703-gd7e78951a8b8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89
RSP: 0018:ffffc90009d56b00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff88807c439e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc90009d56f90 R08: ffffffff8990c562 R09: 1ffff11005a1084b
R10: dffffc0000000000 R11: ffffed1005a1084c R12: 1ffff11005a108e0
R13: ffff88801f600014 R14: ffff88802d084200 R15: dffffc0000000000
FS: 00007f92fcb0b6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92fcb0bd58 CR3: 000000002290e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325
__netlink_dump_start+0x59f/0x780 net/netlink/af_netlink.c:2440
netlink_dump_start include/linux/netlink.h:339 [inline]
smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
sock_diag_rcv_msg+0x3dc/0x5f0
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
sock_sendmsg+0x134/0x200 net/socket.c:768
splice_to_socket+0xa13/0x10b0 fs/splice.c:889
do_splice_from fs/splice.c:941 [inline]
do_splice+0xd77/0x1900 fs/splice.c:1354
__do_splice fs/splice.c:1436 [inline]
__do_sys_splice fs/splice.c:1652 [inline]
__se_sys_splice+0x331/0x4a0 fs/splice.c:1634
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f92fcb924d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f92fcb0b218 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f92fcb0b6c0 RCX: 00007f92fcb924d9
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f92fcc1c348 R08: 0000000080000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f92fcc1c340
R13: 00007f92fcbe9074 R14: 00007ffd7bd61c20 R15: 00007ffd7bd61d08
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89
RSP: 0018:ffffc90009d56b00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff88807c439e00
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: ffffc90009d56f90 R08: ffffffff8990c562 R09: 1ffff11005a1084b
R10: dffffc0000000000 R11: ffffed1005a1084c R12: 1ffff11005a108e0
R13: ffff88801f600014 R14: ffff88802d084200 R15: dffffc0000000000
FS: 00007f92fcb0b6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f92fcb0bd58 CR3: 000000002290e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 48 89 or %cl,-0x77(%rax)
3: df e8 fucomip %st(0),%st
5: f8 clc
6: 0d 9d f6 48 8b or $0x8b48f69d,%eax
b: 44 24 28 rex.R and $0x28,%al
e: 4c 8d 68 14 lea 0x14(%rax),%r13
12: 48 8b 1b mov (%rbx),%rbx
15: 48 83 c3 0e add $0xe,%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
27: fc ff df
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 46 1b 00 00 jne 0x1b7d
37: 0f b7 1b movzwl (%rbx),%ebx
3a: 66 c1 c3 08 rol $0x8,%bx
3e: 4c rex.WR
3f: 89 .byte 0x89


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Lizhi Xu]

out already closed

#syz test: net-next d7e78951a8b8

diff --git a/fs/splice.c b/fs/splice.c
index 60aed8de21f8..67a5965c0793 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1647,7 +1647,7 @@ SYSCALL_DEFINE6(splice, int, fd_in, loff_t __user *, off_in,
error = -EBADF;
in = fdget(fd_in);
if (in.file) {
- out = fdget(fd_out);
+ out = fdget_raw(fd_out);
if (out.file) {
error = __do_splice(in.file, off_in, out.file, off_out,
len, flags);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in smc_diag_dump_proto

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]

CPU: 0 PID: 6159 Comm: syz.0.21 Not tainted 6.10.0-syzkaller-09703-gd7e78951a8b8-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89

RSP: 0018:ffffc9000358eb00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff888069659e00

RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000

RBP: ffffc9000358ef90 R08: ffffffff8990c562 R09: 1ffff1100eef084b
R10: dffffc0000000000 R11: ffffed100eef084c R12: 1ffff1100eef08e0
R13: ffff8880777f0014 R14: ffff888077784200 R15: dffffc0000000000
FS: 00007fddae9ea6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fddae9e9fa8 CR3: 00000000736f2000 CR4: 00000000003506f0

RIP: 0033:0x7fddadb75f19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fddae9ea048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007fddadd06038 RCX: 00007fddadb75f19

RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 00007fddadbe4e68 R08: 0000000080000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fddadd06038 R15: 00007ffc243501f8

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x709/0x3270 net/smc/smc_diag.c:217
Code: 08 48 89 df e8 f8 0d 9d f6 48 8b 44 24 28 4c 8d 68 14 48 8b 1b 48 83 c3 0e 48 89 d8 48 c1 e8 03 49 bf 00 00 00 00 00 fc ff df <42> 0f b6 04 38 84 c0 0f 85 46 1b 00 00 0f b7 1b 66 c1 c3 08 4c 89

RSP: 0018:ffffc9000358eb00 EFLAGS: 00010203
RAX: 0000000000000001 RBX: 000000000000000e RCX: ffff888069659e00

RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000

RBP: ffffc9000358ef90 R08: ffffffff8990c562 R09: 1ffff1100eef084b
R10: dffffc0000000000 R11: ffffed100eef084c R12: 1ffff1100eef08e0
R13: ffff8880777f0014 R14: ffff888077784200 R15: dffffc0000000000
FS: 00007fddae9ea6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fddae9e9fa8 CR3: 00000000736f2000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 08 48 89 or %cl,-0x77(%rax)
3: df e8 fucomip %st(0),%st
5: f8 clc
6: 0d 9d f6 48 8b or $0x8b48f69d,%eax
b: 44 24 28 rex.R and $0x28,%al
e: 4c 8d 68 14 lea 0x14(%rax),%r13
12: 48 8b 1b mov (%rbx),%rbx
15: 48 83 c3 0e add $0xe,%rbx
19: 48 89 d8 mov %rbx,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
27: fc ff df
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 46 1b 00 00 jne 0x1b7d
37: 0f b7 1b movzwl (%rbx),%ebx
3a: 66 c1 c3 08 rol $0x8,%bx
3e: 4c rex.WR
3f: 89 .byte 0x89

Tested on:

commit: d7e78951 Merge tag 'net-6.11-rc0' of git://git.kernel...
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=137931c5980000

kernel config: https://syzkaller.appspot.com/x/.config?x=a6f4e2cb79bdcd45
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1363c96d980000

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
net/smc/smc.h      | 19 ++++++++++---------
net/smc/smc_inet.c | 24 +++++++++++++++---------
2 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/net/smc/smc.h b/net/smc/smc.h
index 34b781e463c4..f4d9338b5ed5 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -284,15 +284,6 @@ struct smc_connection {

struct smc_sock {                /* smc sock container */
   struct sock        sk;
-    struct socket        *clcsock;    /* internal tcp socket */
-    void            (*clcsk_state_change)(struct sock *sk);
-                        /* original stat_change fct. */
-    void            (*clcsk_data_ready)(struct sock *sk);
-                        /* original data_ready fct. */
-    void            (*clcsk_write_space)(struct sock *sk);
-                        /* original write_space fct. */
-    void            (*clcsk_error_report)(struct sock *sk);
-                        /* original error_report fct. */
   struct smc_connection    conn;        /* smc connection */
   struct smc_sock        *listen_smc;    /* listen parent */
   struct work_struct    connect_work;    /* handle non-blocking connect*/
@@ -325,6 +316,16 @@ struct smc_sock {                /* smc sock container */
                       /* protects clcsock of a listen
                        * socket
                        * */
+    struct socket        *clcsock;    /* internal tcp socket */
+    void            (*clcsk_state_change)(struct sock *sk);
+                        /* original stat_change fct. */
+    void            (*clcsk_data_ready)(struct sock *sk);
+                        /* original data_ready fct. */
+    void            (*clcsk_write_space)(struct sock *sk);
+                        /* original write_space fct. */
+    void            (*clcsk_error_report)(struct sock *sk);
+                        /* original error_report fct. */
+
};

#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, sk)
diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c
index bece346dd8e9..3c54faef6042 100644
--- a/net/smc/smc_inet.c
+++ b/net/smc/smc_inet.c
@@ -60,16 +60,22 @@ static struct inet_protosw smc_inet_protosw = {
};

#if IS_ENABLED(CONFIG_IPV6)
+struct smc6_sock {
+    struct smc_sock smc;
+    struct ipv6_pinfo np;
+};
+
static struct proto smc_inet6_prot = {
-    .name        = "INET6_SMC",
-    .owner        = THIS_MODULE,
-    .init        = smc_inet_init_sock,
-    .hash        = smc_hash_sk,
-    .unhash        = smc_unhash_sk,
-    .release_cb    = smc_release_cb,
-    .obj_size    = sizeof(struct smc_sock),
-    .h.smc_hash    = &smc_v6_hashinfo,
-    .slab_flags    = SLAB_TYPESAFE_BY_RCU,
+    .name               = "INET6_SMC",
+    .owner               = THIS_MODULE,
+    .init               = smc_inet_init_sock,
+    .hash               = smc_hash_sk,
+    .unhash               = smc_unhash_sk,
+    .release_cb           = smc_release_cb,
+    .obj_size           = sizeof(struct smc6_sock),
+    .h.smc_hash           = &smc_v6_hashinfo,
+    .slab_flags           = SLAB_TYPESAFE_BY_RCU,
+    .ipv6_pinfo_offset = offsetof(struct smc6_sock, np),
};

static const struct proto_ops smc_inet6_stream_ops = {
--

[Jeongjun Park]

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file net/smc/smc.h
patch: **** malformed patch at line 6: diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c




Tested on:

commit: d74da846 Merge tag 'platform-drivers-x86-v6.11-3' of g..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=a6f4e2cb79bdcd45
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=171c9d13980000

[Jeongjun Park]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f69bfa...@syzkaller.appspotmail.com
Tested-by: syzbot+f69bfa...@syzkaller.appspotmail.com

Tested on:

commit: d74da846 Merge tag 'platform-drivers-x86-v6.11-3' of g..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=14c6fee5980000
kernel config: https://syzkaller.appspot.com/x/.config?x=801d05d1ea4be1b8
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44

compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1046fee5980000

Note: testing is done by a robot and is best-effort only.

[Jeongjun Park]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in smc_diag_dump_proto

Oops: general protection fault, probably for non-canonical address 0xdffffc00000a2403: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000000512018-0x000000000051201f]
CPU: 0 UID: 0 PID: 6007 Comm: syz.1.56 Not tainted 6.11.0-syzkaller-05026-g39b3f4e0db5d-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024

RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]

RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217
Code: 80 3c 2c 00 74 08 48 89 df e8 13 47 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 e8 46 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc9000232eb00 EFLAGS: 00010206
RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888021765a00

RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000

RBP: ffffc9000232ef90 R08: ffffffff89984322 R09: 1ffff1100478378b
R10: dffffc0000000000 R11: ffffed100478378c R12: 1ffff1100478382b
R13: dffffc0000000000 R14: ffff888023c1bc00 R15: ffff88806a9a8010
FS: 00007f10eb3d36c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f10eb3d2fa8 CR3: 0000000029d36000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236
netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325

__netlink_dump_start+0x5a2/0x790 net/netlink/af_netlink.c:2440

netlink_dump_start include/linux/netlink.h:339 [inline]
smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251
sock_diag_rcv_msg+0x3dc/0x5f0
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]

netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357

netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
sock_sendmsg+0x134/0x200 net/socket.c:768

splice_to_socket+0xa10/0x10b0 fs/splice.c:889
do_splice_from fs/splice.c:941 [inline]
do_splice+0xd68/0x18e0 fs/splice.c:1354

__do_splice fs/splice.c:1436 [inline]
__do_sys_splice fs/splice.c:1652 [inline]
__se_sys_splice+0x331/0x4a0 fs/splice.c:1634
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f10ea575f19

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f10eb3d3048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f10ea706038 RCX: 00007f10ea575f19

RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 00007f10ea5e4e68 R08: 0000000080000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f10ea706038 R15: 00007ffc7d1ca708

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]

RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217
Code: 80 3c 2c 00 74 08 48 89 df e8 13 47 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 e8 46 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc9000232eb00 EFLAGS: 00010206
RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888021765a00

RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000

RBP: ffffc9000232ef90 R08: ffffffff89984322 R09: 1ffff1100478378b
R10: dffffc0000000000 R11: ffffed100478378c R12: 1ffff1100478382b
R13: dffffc0000000000 R14: ffff888023c1bc00 R15: ffff88806a9a8010
FS: 00007f10eb3d36c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f10eb3d2fa8 CR3: 0000000029d36000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):

0: 80 3c 2c 00 cmpb $0x0,(%rsp,%rbp,1)
4: 74 08 je 0xe
6: 48 89 df mov %rbx,%rdi
9: e8 13 47 96 f6 call 0xf6964721
e: 48 89 5c 24 30 mov %rbx,0x30(%rsp)
13: 48 8b 1b mov (%rbx),%rbx
16: 48 85 db test %rbx,%rbx
19: 0f 84 2d 02 00 00 je 0x24c
1f: 48 83 c3 18 add $0x18,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 e8 46 96 f6 call 0xf6964721
39: 48 8b 44 24 28 mov 0x28(%rsp),%rax
3e: 4c rex.WR
3f: 8d .byte 0x8d


Tested on:

commit: 39b3f4e0 Merge tag 'hardening-v6.12-rc1' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17a1c4a9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=5c3b301db2ae9f24

dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
net/smc/smc_inet.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c
index a5b2041600f9..e101c8eee187 100644
--- a/net/smc/smc_inet.c
+++ b/net/smc/smc_inet.c
@@ -111,11 +111,17 @@ static struct inet_protosw smc_inet6_protosw = {
static int smc_inet_init_sock(struct sock *sk)
{
struct net *net = sock_net(sk);
+ int rc;

/* init common smc sock */
smc_sk_init(net, sk, IPPROTO_SMC);
/* create clcsock */
- return smc_create_clcsk(net, sk, sk->sk_family);
+ rc = smc_create_clcsk(net, sk, sk->sk_family);
+
+ if (rc)
+ sk_common_release(sk);
+
+ return rc;
}

int __init smc_inet_init(void)
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in smc_diag_dump_proto

Oops: general protection fault, probably for non-canonical address 0xdffffc00000a2403: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000000512018-0x000000000051201f]

CPU: 0 UID: 0 PID: 6289 Comm: syz.1.16 Not tainted 6.11.0-syzkaller-05319-g4a39ac5b7d62-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217

Code: 80 3c 2c 00 74 08 48 89 df e8 a3 3a 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 78 3a 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc900030beb00 EFLAGS: 00010206
RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888026420000

RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000

RBP: ffffc900030bef90 R08: ffffffff89989932 R09: 1ffff1100c1b418b
R10: dffffc0000000000 R11: ffffed100c1b418c R12: 1ffff1100c1b422b
R13: dffffc0000000000 R14: ffff888060da0c00 R15: ffff88806f750010
FS: 00007f5aa99ff6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f5aa99fefa8 CR3: 0000000023558000 CR4: 00000000003506f0

RIP: 0033:0x7f5aa9f75f19

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f5aa99ff048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f5aaa106038 RCX: 00007f5aa9f75f19

RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 00007f5aa9fe4e68 R08: 0000000080000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f5aaa106038 R15: 00007ffe5e8646f8

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217

Code: 80 3c 2c 00 74 08 48 89 df e8 a3 3a 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 78 3a 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc900030beb00 EFLAGS: 00010206
RAX: 00000000000a2403 RBX: 0000000000512018 RCX: ffff888026420000

RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000

RBP: ffffc900030bef90 R08: ffffffff89989932 R09: 1ffff1100c1b418b
R10: dffffc0000000000 R11: ffffed100c1b418c R12: 1ffff1100c1b422b
R13: dffffc0000000000 R14: ffff888060da0c00 R15: ffff88806f750010
FS: 00007f5aa99ff6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f5aa99fefa8 CR3: 0000000023558000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 80 3c 2c 00 cmpb $0x0,(%rsp,%rbp,1)
4: 74 08 je 0xe
6: 48 89 df mov %rbx,%rdi

9: e8 a3 3a 96 f6 call 0xf6963ab1

e: 48 89 5c 24 30 mov %rbx,0x30(%rsp)
13: 48 8b 1b mov (%rbx),%rbx
16: 48 85 db test %rbx,%rbx
19: 0f 84 2d 02 00 00 je 0x24c
1f: 48 83 c3 18 add $0x18,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi

34: e8 78 3a 96 f6 call 0xf6963ab1

39: 48 8b 44 24 28 mov 0x28(%rsp),%rax
3e: 4c rex.WR
3f: 8d .byte 0x8d


Tested on:

commit: 4a39ac5b Merge tag 'random-6.12-rc1-for-linus' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=102c269f980000

kernel config: https://syzkaller.appspot.com/x/.config?x=5c3b301db2ae9f24
dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=125fc4a9980000

[Jeongjun Park]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---

net/smc/af_smc.c | 176 +++++++++++++++++++--------------------
net/smc/smc.h | 7 +-
net/smc/smc_cdc.c | 40 ++++-----
net/smc/smc_clc.c | 28 +++----
net/smc/smc_close.c | 16 ++--
net/smc/smc_core.c | 68 +++++++--------
net/smc/smc_rx.c | 16 ++--
net/smc/smc_stats.h | 10 +--
net/smc/smc_tracepoint.h | 4 +-
net/smc/smc_tx.c | 28 +++----
10 files changed, 195 insertions(+), 198 deletions(-)

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 8e3093938cd2..d2783e715604 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -132,7 +132,7 @@ static struct sock *smc_tcp_syn_recv_sock(const struct sock *sk,
sk->sk_max_ack_backlog)
goto drop;

- if (sk_acceptq_is_full(&smc->sk)) {
+ if (sk_acceptq_is_full(&smc->inet.sk)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
goto drop;
}
@@ -262,7 +262,7 @@ static void smc_fback_restore_callbacks(struct smc_sock *smc)
static void smc_restore_fallback_changes(struct smc_sock *smc)
{
if (smc->clcsock->file) { /* non-accepted sockets have no file yet */
- smc->clcsock->file->private_data = smc->sk.sk_socket;
+ smc->clcsock->file->private_data = smc->inet.sk.sk_socket;
smc->clcsock->file = NULL;
smc_fback_restore_callbacks(smc);
}
@@ -270,7 +270,7 @@ static void smc_restore_fallback_changes(struct smc_sock *smc)

static int __smc_release(struct smc_sock *smc)
{
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int rc = 0;

if (!smc->use_fallback) {
@@ -327,7 +327,7 @@ int smc_release(struct socket *sock)
tcp_abort(smc->clcsock->sk, ECONNABORTED);

if (cancel_work_sync(&smc->connect_work))
- sock_put(&smc->sk); /* sock_hold in smc_connect for passive closing */
+ sock_put(&smc->inet.sk); /* sock_hold in smc_connect for passive closing */

if (sk->sk_state == SMC_LISTEN)
/* smc_close_non_accepted() is called and acquires
@@ -496,7 +496,7 @@ static void smc_copy_sock_settings(struct sock *nsk, struct sock *osk,

static void smc_copy_sock_settings_to_clc(struct smc_sock *smc)
{
- smc_copy_sock_settings(smc->clcsock->sk, &smc->sk, SK_FLAGS_SMC_TO_CLC);
+ smc_copy_sock_settings(smc->clcsock->sk, &smc->inet.sk, SK_FLAGS_SMC_TO_CLC);
}

#define SK_FLAGS_CLC_TO_SMC ((1UL << SOCK_URGINLINE) | \
@@ -506,7 +506,7 @@ static void smc_copy_sock_settings_to_clc(struct smc_sock *smc)
/* copy only settings and flags relevant for smc from clc to smc socket */
static void smc_copy_sock_settings_to_smc(struct smc_sock *smc)
{
- smc_copy_sock_settings(&smc->sk, smc->clcsock->sk, SK_FLAGS_CLC_TO_SMC);
+ smc_copy_sock_settings(&smc->inet.sk, smc->clcsock->sk, SK_FLAGS_CLC_TO_SMC);
}

/* register the new vzalloced sndbuf on all links */
@@ -757,7 +757,7 @@ static void smc_stat_inc_fback_rsn_cnt(struct smc_sock *smc,

static void smc_stat_fallback(struct smc_sock *smc)
{
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);

mutex_lock(&net->smc.mutex_fback_rsn);
if (smc->listen_smc) {
@@ -776,7 +776,7 @@ static void smc_fback_wakeup_waitqueue(struct smc_sock *smc, void *key)
struct socket_wq *wq;
__poll_t flags;

- wq = rcu_dereference(smc->sk.sk_wq);
+ wq = rcu_dereference(smc->inet.sk.sk_wq);
if (!skwq_has_sleeper(wq))
return;

@@ -909,12 +909,12 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code)
smc->fallback_rsn = reason_code;
smc_stat_fallback(smc);
trace_smc_switch_to_fallback(smc, reason_code);
- if (smc->sk.sk_socket && smc->sk.sk_socket->file) {
- smc->clcsock->file = smc->sk.sk_socket->file;
+ if (smc->inet.sk.sk_socket && smc->inet.sk.sk_socket->file) {
+ smc->clcsock->file = smc->inet.sk.sk_socket->file;
smc->clcsock->file->private_data = smc->clcsock;
smc->clcsock->wq.fasync_list =
- smc->sk.sk_socket->wq.fasync_list;
- smc->sk.sk_socket->wq.fasync_list = NULL;
+ smc->inet.sk.sk_socket->wq.fasync_list;
+ smc->inet.sk.sk_socket->wq.fasync_list = NULL;

/* There might be some wait entries remaining
* in smc sk->sk_wq and they should be woken up
@@ -930,20 +930,20 @@ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code)
/* fall back during connect */
static int smc_connect_fallback(struct smc_sock *smc, int reason_code)
{
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
int rc = 0;

rc = smc_switch_to_fallback(smc, reason_code);
if (rc) { /* fallback fails */
this_cpu_inc(net->smc.smc_stats->clnt_hshake_err_cnt);
- if (smc->sk.sk_state == SMC_INIT)
- sock_put(&smc->sk); /* passive closing */
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ sock_put(&smc->inet.sk); /* passive closing */
return rc;
}
smc_copy_sock_settings_to_clc(smc);
smc->connect_nonblock = 0;
- if (smc->sk.sk_state == SMC_INIT)
- smc->sk.sk_state = SMC_ACTIVE;
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ smc->inet.sk.sk_state = SMC_ACTIVE;
return 0;
}

@@ -951,21 +951,21 @@ static int smc_connect_fallback(struct smc_sock *smc, int reason_code)
static int smc_connect_decline_fallback(struct smc_sock *smc, int reason_code,
u8 version)
{
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
int rc;

if (reason_code < 0) { /* error, fallback is not possible */
this_cpu_inc(net->smc.smc_stats->clnt_hshake_err_cnt);
- if (smc->sk.sk_state == SMC_INIT)
- sock_put(&smc->sk); /* passive closing */
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ sock_put(&smc->inet.sk); /* passive closing */
return reason_code;
}
if (reason_code != SMC_CLC_DECL_PEERDECL) {
rc = smc_clc_send_decline(smc, reason_code, version);
if (rc < 0) {
this_cpu_inc(net->smc.smc_stats->clnt_hshake_err_cnt);
- if (smc->sk.sk_state == SMC_INIT)
- sock_put(&smc->sk); /* passive closing */
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ sock_put(&smc->inet.sk); /* passive closing */
return rc;
}
}
@@ -1050,7 +1050,7 @@ static int smc_find_ism_v2_device_clnt(struct smc_sock *smc,
continue;
is_emulated = __smc_ism_is_emulated(chid);
if (!smc_pnet_is_pnetid_set(smcd->pnetid) ||
- smc_pnet_is_ndev_pnetid(sock_net(&smc->sk), smcd->pnetid)) {
+ smc_pnet_is_ndev_pnetid(sock_net(&smc->inet.sk), smcd->pnetid)) {
if (is_emulated && entry == SMCD_CLC_MAX_V2_GID_ENTRIES)
/* It's the last GID-CHID entry left in CLC
* Proposal SMC-Dv2 extension, but an Emulated-
@@ -1200,7 +1200,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
{
struct smc_clc_first_contact_ext *fce =
smc_get_clc_first_contact_ext(aclc, false);
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
int rc;

if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1)
@@ -1347,8 +1347,8 @@ static int smc_connect_rdma(struct smc_sock *smc,

smc_copy_sock_settings_to_clc(smc);
smc->connect_nonblock = 0;
- if (smc->sk.sk_state == SMC_INIT)
- smc->sk.sk_state = SMC_ACTIVE;
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ smc->inet.sk.sk_state = SMC_ACTIVE;

return 0;
connect_abort:
@@ -1450,8 +1450,8 @@ static int smc_connect_ism(struct smc_sock *smc,

smc_copy_sock_settings_to_clc(smc);
smc->connect_nonblock = 0;
- if (smc->sk.sk_state == SMC_INIT)
- smc->sk.sk_state = SMC_ACTIVE;
+ if (smc->inet.sk.sk_state == SMC_INIT)
+ smc->inet.sk.sk_state = SMC_ACTIVE;

return 0;
connect_abort:
@@ -1546,7 +1546,7 @@ static int __smc_connect(struct smc_sock *smc)
/* -EAGAIN on timeout, see tcp_recvmsg() */
if (rc == -EAGAIN) {
rc = -ETIMEDOUT;
- smc->sk.sk_err = ETIMEDOUT;
+ smc->inet.sk.sk_err = ETIMEDOUT;
}
goto vlan_cleanup;
}
@@ -1586,14 +1586,14 @@ static void smc_connect_work(struct work_struct *work)
{
struct smc_sock *smc = container_of(work, struct smc_sock,
connect_work);
- long timeo = smc->sk.sk_sndtimeo;
+ long timeo = smc->inet.sk.sk_sndtimeo;
int rc = 0;

if (!timeo)
timeo = MAX_SCHEDULE_TIMEOUT;
lock_sock(smc->clcsock->sk);
if (smc->clcsock->sk->sk_err) {
- smc->sk.sk_err = smc->clcsock->sk->sk_err;
+ smc->inet.sk.sk_err = smc->clcsock->sk->sk_err;
} else if ((1 << smc->clcsock->sk->sk_state) &
(TCPF_SYN_SENT | TCPF_SYN_RECV)) {
rc = sk_stream_wait_connect(smc->clcsock->sk, &timeo);
@@ -1603,33 +1603,33 @@ static void smc_connect_work(struct work_struct *work)
rc = 0;
}
release_sock(smc->clcsock->sk);
- lock_sock(&smc->sk);
- if (rc != 0 || smc->sk.sk_err) {
- smc->sk.sk_state = SMC_CLOSED;
+ lock_sock(&smc->inet.sk);
+ if (rc != 0 || smc->inet.sk.sk_err) {
+ smc->inet.sk.sk_state = SMC_CLOSED;
if (rc == -EPIPE || rc == -EAGAIN)
- smc->sk.sk_err = EPIPE;
+ smc->inet.sk.sk_err = EPIPE;
else if (rc == -ECONNREFUSED)
- smc->sk.sk_err = ECONNREFUSED;
+ smc->inet.sk.sk_err = ECONNREFUSED;
else if (signal_pending(current))
- smc->sk.sk_err = -sock_intr_errno(timeo);
- sock_put(&smc->sk); /* passive closing */
+ smc->inet.sk.sk_err = -sock_intr_errno(timeo);
+ sock_put(&smc->inet.sk); /* passive closing */
goto out;
}

rc = __smc_connect(smc);
if (rc < 0)
- smc->sk.sk_err = -rc;
+ smc->inet.sk.sk_err = -rc;

out:
- if (!sock_flag(&smc->sk, SOCK_DEAD)) {
- if (smc->sk.sk_err) {
- smc->sk.sk_state_change(&smc->sk);
+ if (!sock_flag(&smc->inet.sk, SOCK_DEAD)) {
+ if (smc->inet.sk.sk_err) {
+ smc->inet.sk.sk_state_change(&smc->inet.sk);
} else { /* allow polling before and after fallback decision */
smc->clcsock->sk->sk_write_space(smc->clcsock->sk);
- smc->sk.sk_write_space(&smc->sk);
+ smc->inet.sk.sk_write_space(&smc->inet.sk);
}
}
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
}

int smc_connect(struct socket *sock, struct sockaddr *addr,
@@ -1692,7 +1692,7 @@ int smc_connect(struct socket *sock, struct sockaddr *addr,
sock->state = rc ? SS_CONNECTING : SS_CONNECTED;
goto out;
}
- sock_hold(&smc->sk); /* sock put in passive closing */
+ sock_hold(&smc->inet.sk); /* sock put in passive closing */
if (flags & O_NONBLOCK) {
if (queue_work(smc_hs_wq, &smc->connect_work))
smc->connect_nonblock = 1;
@@ -1716,7 +1716,7 @@ int smc_connect(struct socket *sock, struct sockaddr *addr,
static int smc_clcsock_accept(struct smc_sock *lsmc, struct smc_sock **new_smc)
{
struct socket *new_clcsock = NULL;
- struct sock *lsk = &lsmc->sk;
+ struct sock *lsk = &lsmc->inet.sk;
struct sock *new_sk;
int rc = -EINVAL;

@@ -1793,7 +1793,7 @@ static void smc_accept_unlink(struct sock *sk)
spin_lock(&par->accept_q_lock);
list_del_init(&smc_sk(sk)->accept_q);
spin_unlock(&par->accept_q_lock);
- sk_acceptq_removed(&smc_sk(sk)->listen_smc->sk);
+ sk_acceptq_removed(&smc_sk(sk)->listen_smc->inet.sk);
sock_put(sk); /* sock_hold in smc_accept_enqueue */
}

@@ -1904,28 +1904,28 @@ static int smcr_serv_conf_first_link(struct smc_sock *smc)
static void smc_listen_out(struct smc_sock *new_smc)
{
struct smc_sock *lsmc = new_smc->listen_smc;
- struct sock *newsmcsk = &new_smc->sk;
+ struct sock *newsmcsk = &new_smc->inet.sk;

if (tcp_sk(new_smc->clcsock->sk)->syn_smc)
atomic_dec(&lsmc->queued_smc_hs);

- if (lsmc->sk.sk_state == SMC_LISTEN) {
- lock_sock_nested(&lsmc->sk, SINGLE_DEPTH_NESTING);
- smc_accept_enqueue(&lsmc->sk, newsmcsk);
- release_sock(&lsmc->sk);
+ if (lsmc->inet.sk.sk_state == SMC_LISTEN) {
+ lock_sock_nested(&lsmc->inet.sk, SINGLE_DEPTH_NESTING);
+ smc_accept_enqueue(&lsmc->inet.sk, newsmcsk);
+ release_sock(&lsmc->inet.sk);
} else { /* no longer listening */
smc_close_non_accepted(newsmcsk);
}

/* Wake up accept */
- lsmc->sk.sk_data_ready(&lsmc->sk);
- sock_put(&lsmc->sk); /* sock_hold in smc_tcp_listen_work */
+ lsmc->inet.sk.sk_data_ready(&lsmc->inet.sk);
+ sock_put(&lsmc->inet.sk); /* sock_hold in smc_tcp_listen_work */
}

/* listen worker: finish in state connected */
static void smc_listen_out_connected(struct smc_sock *new_smc)
{
- struct sock *newsmcsk = &new_smc->sk;
+ struct sock *newsmcsk = &new_smc->inet.sk;

if (newsmcsk->sk_state == SMC_INIT)
newsmcsk->sk_state = SMC_ACTIVE;
@@ -1936,12 +1936,12 @@ static void smc_listen_out_connected(struct smc_sock *new_smc)
/* listen worker: finish in error state */
static void smc_listen_out_err(struct smc_sock *new_smc)
{
- struct sock *newsmcsk = &new_smc->sk;
+ struct sock *newsmcsk = &new_smc->inet.sk;
struct net *net = sock_net(newsmcsk);

this_cpu_inc(net->smc.smc_stats->srv_hshake_err_cnt);
if (newsmcsk->sk_state == SMC_INIT)
- sock_put(&new_smc->sk); /* passive closing */
+ sock_put(&new_smc->inet.sk); /* passive closing */
newsmcsk->sk_state = SMC_CLOSED;

smc_listen_out(new_smc);
@@ -2430,7 +2430,7 @@ static void smc_listen_work(struct work_struct *work)
u8 accept_version;
int rc = 0;

- if (new_smc->listen_smc->sk.sk_state != SMC_LISTEN)
+ if (new_smc->listen_smc->inet.sk.sk_state != SMC_LISTEN)
return smc_listen_out_err(new_smc);

if (new_smc->use_fallback) {
@@ -2565,7 +2565,7 @@ static void smc_tcp_listen_work(struct work_struct *work)
{
struct smc_sock *lsmc = container_of(work, struct smc_sock,
tcp_listen_work);
- struct sock *lsk = &lsmc->sk;
+ struct sock *lsk = &lsmc->inet.sk;
struct smc_sock *new_smc;
int rc = 0;

@@ -2586,14 +2586,14 @@ static void smc_tcp_listen_work(struct work_struct *work)
sock_hold(lsk); /* sock_put in smc_listen_work */
INIT_WORK(&new_smc->smc_listen_work, smc_listen_work);
smc_copy_sock_settings_to_smc(new_smc);
- sock_hold(&new_smc->sk); /* sock_put in passive closing */
+ sock_hold(&new_smc->inet.sk); /* sock_put in passive closing */
if (!queue_work(smc_hs_wq, &new_smc->smc_listen_work))
- sock_put(&new_smc->sk);
+ sock_put(&new_smc->inet.sk);
}

out:
release_sock(lsk);
- sock_put(&lsmc->sk); /* sock_hold in smc_clcsock_data_ready() */
+ sock_put(&lsmc->inet.sk); /* sock_hold in smc_clcsock_data_ready() */
}

static void smc_clcsock_data_ready(struct sock *listen_clcsock)
@@ -2605,10 +2605,10 @@ static void smc_clcsock_data_ready(struct sock *listen_clcsock)
if (!lsmc)
goto out;
lsmc->clcsk_data_ready(listen_clcsock);
- if (lsmc->sk.sk_state == SMC_LISTEN) {
- sock_hold(&lsmc->sk); /* sock_put in smc_tcp_listen_work() */
+ if (lsmc->inet.sk.sk_state == SMC_LISTEN) {
+ sock_hold(&lsmc->inet.sk); /* sock_put in smc_tcp_listen_work() */
if (!queue_work(smc_tcp_ls_wq, &lsmc->tcp_listen_work))
- sock_put(&lsmc->sk);
+ sock_put(&lsmc->inet.sk);
}
out:
read_unlock_bh(&listen_clcsock->sk_callback_lock);
@@ -2692,7 +2692,7 @@ int smc_accept(struct socket *sock, struct socket *new_sock,
sock_hold(sk); /* sock_put below */
lock_sock(sk);

- if (lsmc->sk.sk_state != SMC_LISTEN) {
+ if (lsmc->inet.sk.sk_state != SMC_LISTEN) {
rc = -EINVAL;
release_sock(sk);
goto out;
@@ -3167,36 +3167,36 @@ int smc_ioctl(struct socket *sock, unsigned int cmd,

smc = smc_sk(sock->sk);
conn = &smc->conn;
- lock_sock(&smc->sk);
+ lock_sock(&smc->inet.sk);
if (smc->use_fallback) {
if (!smc->clcsock) {
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
return -EBADF;
}
answ = smc->clcsock->ops->ioctl(smc->clcsock, cmd, arg);
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
return answ;
}
switch (cmd) {
case SIOCINQ: /* same as FIONREAD */
- if (smc->sk.sk_state == SMC_LISTEN) {
- release_sock(&smc->sk);
+ if (smc->inet.sk.sk_state == SMC_LISTEN) {
+ release_sock(&smc->inet.sk);
return -EINVAL;
}
- if (smc->sk.sk_state == SMC_INIT ||
- smc->sk.sk_state == SMC_CLOSED)
+ if (smc->inet.sk.sk_state == SMC_INIT ||
+ smc->inet.sk.sk_state == SMC_CLOSED)
answ = 0;
else
answ = atomic_read(&smc->conn.bytes_to_rcv);
break;
case SIOCOUTQ:
/* output queue size (not send + not acked) */
- if (smc->sk.sk_state == SMC_LISTEN) {
- release_sock(&smc->sk);
+ if (smc->inet.sk.sk_state == SMC_LISTEN) {
+ release_sock(&smc->inet.sk);
return -EINVAL;
}
- if (smc->sk.sk_state == SMC_INIT ||
- smc->sk.sk_state == SMC_CLOSED)
+ if (smc->inet.sk.sk_state == SMC_INIT ||
+ smc->inet.sk.sk_state == SMC_CLOSED)
answ = 0;
else
answ = smc->conn.sndbuf_desc->len -
@@ -3204,23 +3204,23 @@ int smc_ioctl(struct socket *sock, unsigned int cmd,
break;
case SIOCOUTQNSD:
/* output queue size (not send only) */
- if (smc->sk.sk_state == SMC_LISTEN) {
- release_sock(&smc->sk);
+ if (smc->inet.sk.sk_state == SMC_LISTEN) {
+ release_sock(&smc->inet.sk);
return -EINVAL;
}
- if (smc->sk.sk_state == SMC_INIT ||
- smc->sk.sk_state == SMC_CLOSED)
+ if (smc->inet.sk.sk_state == SMC_INIT ||
+ smc->inet.sk.sk_state == SMC_CLOSED)
answ = 0;
else
answ = smc_tx_prepared_sends(&smc->conn);
break;
case SIOCATMARK:
- if (smc->sk.sk_state == SMC_LISTEN) {
- release_sock(&smc->sk);
+ if (smc->inet.sk.sk_state == SMC_LISTEN) {
+ release_sock(&smc->inet.sk);
return -EINVAL;
}
- if (smc->sk.sk_state == SMC_INIT ||
- smc->sk.sk_state == SMC_CLOSED) {
+ if (smc->inet.sk.sk_state == SMC_INIT ||
+ smc->inet.sk.sk_state == SMC_CLOSED) {
answ = 0;
} else {
smc_curs_copy(&cons, &conn->local_tx_ctrl.cons, conn);
@@ -3230,10 +3230,10 @@ int smc_ioctl(struct socket *sock, unsigned int cmd,
}
break;
default:
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
return -ENOIOCTLCMD;
}
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);

return put_user(answ, (int __user *)arg);
}
@@ -3324,7 +3324,7 @@ int smc_create_clcsk(struct net *net, struct sock *sk, int family)

/* smc_clcsock_release() does not wait smc->clcsock->sk's
* destruction; its sk_state might not be TCP_CLOSE after
- * smc->sk is close()d, and TCP timers can be fired later,
+ * smc->inet.sk is close()d, and TCP timers can be fired later,
* which need net ref.
*/
sk = smc->clcsock->sk;
diff --git a/net/smc/smc.h b/net/smc/smc.h
index ad77d6b6b8d3..1caea41f04e9 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -283,10 +283,7 @@ struct smc_connection {

};

struct smc_sock { /* smc sock container */

- struct sock sk;
-#if IS_ENABLED(CONFIG_IPV6)
- struct ipv6_pinfo *pinet6;
-#endif
+ struct inet_sock inet;

struct socket *clcsock; /* internal tcp socket */

void (*clcsk_state_change)(struct sock *sk);

/* original stat_change fct. */

@@ -330,7 +327,7 @@ struct smc_sock { /* smc sock container */
* */
};

-#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, sk)
+#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, inet.sk)

static inline void smc_init_saved_callbacks(struct smc_sock *smc)
{
diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c
index 619b3bab3824..45d81c87b398 100644
--- a/net/smc/smc_cdc.c
+++ b/net/smc/smc_cdc.c
@@ -35,7 +35,7 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd,

sndbuf_desc = conn->sndbuf_desc;
smc = container_of(conn, struct smc_sock, conn);
- bh_lock_sock(&smc->sk);
+ bh_lock_sock(&smc->inet.sk);
if (!wc_status && sndbuf_desc) {
diff = smc_curs_diff(sndbuf_desc->len,
&cdcpend->conn->tx_curs_fin,
@@ -56,7 +56,7 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd,
* User context will later try to send when it release sock_lock
* in smc_release_cb()
*/
- if (sock_owned_by_user(&smc->sk))
+ if (sock_owned_by_user(&smc->inet.sk))
conn->tx_in_release_sock = true;
else
smc_tx_pending(conn);
@@ -67,7 +67,7 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd,
WARN_ON(atomic_read(&conn->cdc_pend_tx_wr) < 0);

smc_tx_sndbuf_nonfull(smc);
- bh_unlock_sock(&smc->sk);
+ bh_unlock_sock(&smc->inet.sk);
}

int smc_cdc_get_free_slot(struct smc_connection *conn,
@@ -294,7 +294,7 @@ static void smc_cdc_handle_urg_data_arrival(struct smc_sock *smc,
/* new data included urgent business */
smc_curs_copy(&conn->urg_curs, &conn->local_rx_ctrl.prod, conn);
conn->urg_state = SMC_URG_VALID;
- if (!sock_flag(&smc->sk, SOCK_URGINLINE))
+ if (!sock_flag(&smc->inet.sk, SOCK_URGINLINE))
/* we'll skip the urgent byte, so don't account for it */
(*diff_prod)--;
base = (char *)conn->rmb_desc->cpu_addr + conn->rx_off;
@@ -302,7 +302,7 @@ static void smc_cdc_handle_urg_data_arrival(struct smc_sock *smc,
conn->urg_rx_byte = *(base + conn->urg_curs.count - 1);
else
conn->urg_rx_byte = *(base + conn->rmb_desc->len - 1);
- sk_send_sigurg(&smc->sk);
+ sk_send_sigurg(&smc->inet.sk);
}

static void smc_cdc_msg_validate(struct smc_sock *smc, struct smc_cdc_msg *cdc,
@@ -321,9 +321,9 @@ static void smc_cdc_msg_validate(struct smc_sock *smc, struct smc_cdc_msg *cdc,
conn->local_tx_ctrl.conn_state_flags.peer_conn_abort = 1;
conn->lnk = link;
spin_unlock_bh(&conn->send_lock);
- sock_hold(&smc->sk); /* sock_put in abort_work */
+ sock_hold(&smc->inet.sk); /* sock_put in abort_work */
if (!queue_work(smc_close_wq, &conn->abort_work))
- sock_put(&smc->sk);
+ sock_put(&smc->inet.sk);
}
}

@@ -383,10 +383,10 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc,
atomic_add(diff_prod, &conn->bytes_to_rcv);
/* guarantee 0 <= bytes_to_rcv <= rmb_desc->len */
smp_mb__after_atomic();
- smc->sk.sk_data_ready(&smc->sk);
+ smc->inet.sk.sk_data_ready(&smc->inet.sk);
} else {
if (conn->local_rx_ctrl.prod_flags.write_blocked)
- smc->sk.sk_data_ready(&smc->sk);
+ smc->inet.sk.sk_data_ready(&smc->inet.sk);
if (conn->local_rx_ctrl.prod_flags.urg_data_pending)
conn->urg_state = SMC_URG_NOTYET;
}
@@ -395,7 +395,7 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc,
if ((diff_cons && smc_tx_prepared_sends(conn)) ||
conn->local_rx_ctrl.prod_flags.cons_curs_upd_req ||
conn->local_rx_ctrl.prod_flags.urg_data_pending) {
- if (!sock_owned_by_user(&smc->sk))
+ if (!sock_owned_by_user(&smc->inet.sk))
smc_tx_pending(conn);
else
conn->tx_in_release_sock = true;
@@ -405,32 +405,32 @@ static void smc_cdc_msg_recv_action(struct smc_sock *smc,
atomic_read(&conn->peer_rmbe_space) == conn->peer_rmbe_size) {
/* urg data confirmed by peer, indicate we're ready for more */
conn->urg_tx_pend = false;
- smc->sk.sk_write_space(&smc->sk);
+ smc->inet.sk.sk_write_space(&smc->inet.sk);
}

if (conn->local_rx_ctrl.conn_state_flags.peer_conn_abort) {
- smc->sk.sk_err = ECONNRESET;
+ smc->inet.sk.sk_err = ECONNRESET;
conn->local_tx_ctrl.conn_state_flags.peer_conn_abort = 1;
}
if (smc_cdc_rxed_any_close_or_senddone(conn)) {
- smc->sk.sk_shutdown |= RCV_SHUTDOWN;
+ smc->inet.sk.sk_shutdown |= RCV_SHUTDOWN;
if (smc->clcsock && smc->clcsock->sk)
smc->clcsock->sk->sk_shutdown |= RCV_SHUTDOWN;
- smc_sock_set_flag(&smc->sk, SOCK_DONE);
- sock_hold(&smc->sk); /* sock_put in close_work */
+ smc_sock_set_flag(&smc->inet.sk, SOCK_DONE);
+ sock_hold(&smc->inet.sk); /* sock_put in close_work */
if (!queue_work(smc_close_wq, &conn->close_work))
- sock_put(&smc->sk);
+ sock_put(&smc->inet.sk);
}
}

/* called under tasklet context */
static void smc_cdc_msg_recv(struct smc_sock *smc, struct smc_cdc_msg *cdc)
{
- sock_hold(&smc->sk);
- bh_lock_sock(&smc->sk);
+ sock_hold(&smc->inet.sk);
+ bh_lock_sock(&smc->inet.sk);
smc_cdc_msg_recv_action(smc, cdc);
- bh_unlock_sock(&smc->sk);
- sock_put(&smc->sk); /* no free sk in softirq-context */
+ bh_unlock_sock(&smc->inet.sk);
+ sock_put(&smc->inet.sk); /* no free sk in softirq-context */
}

/* Schedule a tasklet for this connection. Triggered from the ISM device IRQ
diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index 33fa787c28eb..c08ebc55f2ad 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -704,7 +704,7 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
if (signal_pending(current)) {
reason_code = -EINTR;
clc_sk->sk_err = EINTR;
- smc->sk.sk_err = EINTR;
+ smc->inet.sk.sk_err = EINTR;
goto out;
}
if (clc_sk->sk_err) {
@@ -713,17 +713,17 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
expected_type == SMC_CLC_DECLINE)
clc_sk->sk_err = 0; /* reset for fallback usage */
else
- smc->sk.sk_err = clc_sk->sk_err;
+ smc->inet.sk.sk_err = clc_sk->sk_err;
goto out;
}
if (!len) { /* peer has performed orderly shutdown */
- smc->sk.sk_err = ECONNRESET;
+ smc->inet.sk.sk_err = ECONNRESET;
reason_code = -ECONNRESET;
goto out;
}
if (len < 0) {
if (len != -EAGAIN || expected_type != SMC_CLC_DECLINE)
- smc->sk.sk_err = -len;
+ smc->inet.sk.sk_err = -len;
reason_code = len;
goto out;
}
@@ -732,7 +732,7 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
(clcm->version < SMC_V1) ||
((clcm->type != SMC_CLC_DECLINE) &&
(clcm->type != expected_type))) {
- smc->sk.sk_err = EPROTO;
+ smc->inet.sk.sk_err = EPROTO;
reason_code = -EPROTO;
goto out;
}
@@ -749,7 +749,7 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
krflags = MSG_WAITALL;
len = sock_recvmsg(smc->clcsock, &msg, krflags);
if (len < recvlen || !smc_clc_msg_hdr_valid(clcm, check_trl)) {
- smc->sk.sk_err = EPROTO;
+ smc->inet.sk.sk_err = EPROTO;
reason_code = -EPROTO;
goto out;
}
@@ -835,7 +835,7 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini)
struct smc_clc_smcd_gid_chid *gidchids;
struct smc_clc_msg_proposal_area *pclc;
struct smc_clc_ipv6_prefix *ipv6_prfx;
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
struct smc_clc_v2_extension *v2_ext;
struct smc_clc_msg_smcd *pclc_smcd;
struct smc_clc_msg_trail *trl;
@@ -1015,11 +1015,11 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini)
/* due to the few bytes needed for clc-handshake this cannot block */
len = kernel_sendmsg(smc->clcsock, &msg, vec, i, plen);
if (len < 0) {
- smc->sk.sk_err = smc->clcsock->sk->sk_err;
- reason_code = -smc->sk.sk_err;
+ smc->inet.sk.sk_err = smc->clcsock->sk->sk_err;
+ reason_code = -smc->inet.sk.sk_err;
} else if (len < ntohs(pclc_base->hdr.length)) {
reason_code = -ENETUNREACH;
- smc->sk.sk_err = -reason_code;
+ smc->inet.sk.sk_err = -reason_code;
}

kfree(pclc);
@@ -1208,10 +1208,10 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
if (len < ntohs(cclc.hdr.length)) {
if (len >= 0) {
reason_code = -ENETUNREACH;
- smc->sk.sk_err = -reason_code;
+ smc->inet.sk.sk_err = -reason_code;
} else {
- smc->sk.sk_err = smc->clcsock->sk->sk_err;
- reason_code = -smc->sk.sk_err;
+ smc->inet.sk.sk_err = smc->clcsock->sk->sk_err;
+ reason_code = -smc->inet.sk.sk_err;
}
}
return reason_code;
@@ -1239,7 +1239,7 @@ int smc_clc_srv_v2x_features_validate(struct smc_sock *smc,
struct smc_init_info *ini)
{
struct smc_clc_v2_extension *pclc_v2_ext;
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);

ini->max_conns = SMC_CONN_PER_LGR_MAX;
ini->max_links = SMC_LINKS_ADD_LNK_MAX;
diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
index 10219f55aad1..74020e9eba1b 100644
--- a/net/smc/smc_close.c
+++ b/net/smc/smc_close.c
@@ -49,7 +49,7 @@ static void smc_close_cleanup_listen(struct sock *parent)
static void smc_close_stream_wait(struct smc_sock *smc, long timeout)
{
DEFINE_WAIT_FUNC(wait, woken_wake_function);
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;

if (!timeout)
return;
@@ -82,7 +82,7 @@ void smc_close_wake_tx_prepared(struct smc_sock *smc)
{
if (smc->wait_close_tx_prepared)
/* wake up socket closing */
- smc->sk.sk_state_change(&smc->sk);
+ smc->inet.sk.sk_state_change(&smc->inet.sk);
}

static int smc_close_wr(struct smc_connection *conn)
@@ -113,7 +113,7 @@ int smc_close_abort(struct smc_connection *conn)

static void smc_close_cancel_work(struct smc_sock *smc)
{
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;

release_sock(sk);
if (cancel_work_sync(&smc->conn.close_work))
@@ -127,7 +127,7 @@ static void smc_close_cancel_work(struct smc_sock *smc)
*/
void smc_close_active_abort(struct smc_sock *smc)
{
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
bool release_clcsock = false;

if (sk->sk_state != SMC_INIT && smc->clcsock && smc->clcsock->sk) {
@@ -195,7 +195,7 @@ int smc_close_active(struct smc_sock *smc)
struct smc_cdc_conn_state_flags *txflags =
&smc->conn.local_tx_ctrl.conn_state_flags;
struct smc_connection *conn = &smc->conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int old_state;
long timeout;
int rc = 0;
@@ -313,7 +313,7 @@ static void smc_close_passive_abort_received(struct smc_sock *smc)
{
struct smc_cdc_conn_state_flags *txflags =
&smc->conn.local_tx_ctrl.conn_state_flags;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;

switch (sk->sk_state) {
case SMC_INIT:
@@ -361,7 +361,7 @@ static void smc_close_passive_work(struct work_struct *work)
struct smc_sock *smc = container_of(conn, struct smc_sock, conn);
struct smc_cdc_conn_state_flags *rxflags;
bool release_clcsock = false;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int old_state;

lock_sock(sk);
@@ -447,7 +447,7 @@ static void smc_close_passive_work(struct work_struct *work)
int smc_close_shutdown_write(struct smc_sock *smc)
{
struct smc_connection *conn = &smc->conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int old_state;
long timeout;
int rc = 0;
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 3b95828d9976..86430ab7c0ef 100644
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -180,7 +180,7 @@ static int smc_lgr_register_conn(struct smc_connection *conn, bool first)
/* find a new alert_token_local value not yet used by some connection
* in this link group
*/
- sock_hold(&smc->sk); /* sock_put in smc_lgr_unregister_conn() */
+ sock_hold(&smc->inet.sk); /* sock_put in smc_lgr_unregister_conn() */
while (!conn->alert_token_local) {
conn->alert_token_local = atomic_inc_return(&nexttoken);
if (smc_lgr_find_conn(conn->alert_token_local, conn->lgr))
@@ -203,7 +203,7 @@ static void __smc_lgr_unregister_conn(struct smc_connection *conn)
atomic_dec(&conn->lnk->conn_cnt);
lgr->conns_num--;
conn->alert_token_local = 0;
- sock_put(&smc->sk); /* sock_hold in smc_lgr_register_conn() */
+ sock_put(&smc->inet.sk); /* sock_hold in smc_lgr_register_conn() */
}

/* Unregister connection from lgr
@@ -1010,12 +1010,12 @@ static int smc_switch_cursor(struct smc_sock *smc, struct smc_cdc_tx_pend *pend,
/* recalculate, value is used by tx_rdma_writes() */
atomic_set(&smc->conn.peer_rmbe_space, smc_write_space(conn));

- if (smc->sk.sk_state != SMC_INIT &&
- smc->sk.sk_state != SMC_CLOSED) {
+ if (smc->inet.sk.sk_state != SMC_INIT &&
+ smc->inet.sk.sk_state != SMC_CLOSED) {
rc = smcr_cdc_msg_send_validation(conn, pend, wr_buf);
if (!rc) {
queue_delayed_work(conn->lgr->tx_wq, &conn->tx_work, 0);
- smc->sk.sk_data_ready(&smc->sk);
+ smc->inet.sk.sk_data_ready(&smc->inet.sk);
}
} else {
smc_wr_tx_put_slot(conn->lnk,
@@ -1072,23 +1072,23 @@ struct smc_link *smc_switch_conns(struct smc_link_group *lgr,
continue;
smc = container_of(conn, struct smc_sock, conn);
/* conn->lnk not yet set in SMC_INIT state */
- if (smc->sk.sk_state == SMC_INIT)
+ if (smc->inet.sk.sk_state == SMC_INIT)
continue;
- if (smc->sk.sk_state == SMC_CLOSED ||
- smc->sk.sk_state == SMC_PEERCLOSEWAIT1 ||
- smc->sk.sk_state == SMC_PEERCLOSEWAIT2 ||
- smc->sk.sk_state == SMC_APPFINCLOSEWAIT ||
- smc->sk.sk_state == SMC_APPCLOSEWAIT1 ||
- smc->sk.sk_state == SMC_APPCLOSEWAIT2 ||
- smc->sk.sk_state == SMC_PEERFINCLOSEWAIT ||
- smc->sk.sk_state == SMC_PEERABORTWAIT ||
- smc->sk.sk_state == SMC_PROCESSABORT) {
+ if (smc->inet.sk.sk_state == SMC_CLOSED ||
+ smc->inet.sk.sk_state == SMC_PEERCLOSEWAIT1 ||
+ smc->inet.sk.sk_state == SMC_PEERCLOSEWAIT2 ||
+ smc->inet.sk.sk_state == SMC_APPFINCLOSEWAIT ||
+ smc->inet.sk.sk_state == SMC_APPCLOSEWAIT1 ||
+ smc->inet.sk.sk_state == SMC_APPCLOSEWAIT2 ||
+ smc->inet.sk.sk_state == SMC_PEERFINCLOSEWAIT ||
+ smc->inet.sk.sk_state == SMC_PEERABORTWAIT ||
+ smc->inet.sk.sk_state == SMC_PROCESSABORT) {
spin_lock_bh(&conn->send_lock);
smc_switch_link_and_count(conn, to_lnk);
spin_unlock_bh(&conn->send_lock);
continue;
}
- sock_hold(&smc->sk);
+ sock_hold(&smc->inet.sk);
read_unlock_bh(&lgr->conns_lock);
/* pre-fetch buffer outside of send_lock, might sleep */
rc = smc_cdc_get_free_slot(conn, to_lnk, &wr_buf, NULL, &pend);
@@ -1099,7 +1099,7 @@ struct smc_link *smc_switch_conns(struct smc_link_group *lgr,
smc_switch_link_and_count(conn, to_lnk);
rc = smc_switch_cursor(smc, pend, wr_buf);
spin_unlock_bh(&conn->send_lock);
- sock_put(&smc->sk);
+ sock_put(&smc->inet.sk);
if (rc)
goto err_out;
goto again;
@@ -1442,9 +1442,9 @@ void smc_lgr_put(struct smc_link_group *lgr)

static void smc_sk_wake_ups(struct smc_sock *smc)
{
- smc->sk.sk_write_space(&smc->sk);
- smc->sk.sk_data_ready(&smc->sk);
- smc->sk.sk_state_change(&smc->sk);
+ smc->inet.sk.sk_write_space(&smc->inet.sk);
+ smc->inet.sk.sk_data_ready(&smc->inet.sk);
+ smc->inet.sk.sk_state_change(&smc->inet.sk);
}

/* kill a connection */
@@ -1457,7 +1457,7 @@ static void smc_conn_kill(struct smc_connection *conn, bool soft)
else
smc_close_abort(conn);
conn->killed = 1;
- smc->sk.sk_err = ECONNABORTED;
+ smc->inet.sk.sk_err = ECONNABORTED;
smc_sk_wake_ups(smc);
if (conn->lgr->is_smcd) {
smc_ism_unset_conn(conn);
@@ -1511,11 +1511,11 @@ static void __smc_lgr_terminate(struct smc_link_group *lgr, bool soft)
read_unlock_bh(&lgr->conns_lock);
conn = rb_entry(node, struct smc_connection, alert_node);
smc = container_of(conn, struct smc_sock, conn);
- sock_hold(&smc->sk); /* sock_put below */
- lock_sock(&smc->sk);
+ sock_hold(&smc->inet.sk); /* sock_put below */
+ lock_sock(&smc->inet.sk);
smc_conn_kill(conn, soft);
- release_sock(&smc->sk);
- sock_put(&smc->sk); /* sock_hold above */
+ release_sock(&smc->inet.sk);
+ sock_put(&smc->inet.sk); /* sock_hold above */
read_lock_bh(&lgr->conns_lock);
node = rb_first(&lgr->conns_all);
}
@@ -1684,10 +1684,10 @@ static void smc_conn_abort_work(struct work_struct *work)
abort_work);
struct smc_sock *smc = container_of(conn, struct smc_sock, conn);

- lock_sock(&smc->sk);
+ lock_sock(&smc->inet.sk);
smc_conn_kill(conn, true);
- release_sock(&smc->sk);
- sock_put(&smc->sk); /* sock_hold done by schedulers of abort_work */
+ release_sock(&smc->inet.sk);
+ sock_put(&smc->inet.sk); /* sock_hold done by schedulers of abort_work */
}

void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport)
@@ -1910,7 +1910,7 @@ static bool smcd_lgr_match(struct smc_link_group *lgr,
int smc_conn_create(struct smc_sock *smc, struct smc_init_info *ini)
{
struct smc_connection *conn = &smc->conn;
- struct net *net = sock_net(&smc->sk);
+ struct net *net = sock_net(&smc->inet.sk);
struct list_head *lgr_list;
struct smc_link_group *lgr;
enum smc_lgr_role role;
@@ -2370,10 +2370,10 @@ static int __smc_buf_create(struct smc_sock *smc, bool is_smcd, bool is_rmb)

if (is_rmb)
/* use socket recv buffer size (w/o overhead) as start value */
- bufsize = smc->sk.sk_rcvbuf / 2;
+ bufsize = smc->inet.sk.sk_rcvbuf / 2;
else
/* use socket send buffer size (w/o overhead) as start value */
- bufsize = smc->sk.sk_sndbuf / 2;
+ bufsize = smc->inet.sk.sk_sndbuf / 2;

for (bufsize_comp = smc_compress_bufsize(bufsize, is_smcd, is_rmb);
bufsize_comp >= 0; bufsize_comp--) {
@@ -2432,7 +2432,7 @@ static int __smc_buf_create(struct smc_sock *smc, bool is_smcd, bool is_rmb)
if (is_rmb) {
conn->rmb_desc = buf_desc;
conn->rmbe_size_comp = bufsize_comp;
- smc->sk.sk_rcvbuf = bufsize * 2;
+ smc->inet.sk.sk_rcvbuf = bufsize * 2;
atomic_set(&conn->bytes_to_rcv, 0);
conn->rmbe_update_limit =
smc_rmb_wnd_update_limit(buf_desc->len);
@@ -2440,7 +2440,7 @@ static int __smc_buf_create(struct smc_sock *smc, bool is_smcd, bool is_rmb)
smc_ism_set_conn(conn); /* map RMB/smcd_dev to conn */
} else {
conn->sndbuf_desc = buf_desc;
- smc->sk.sk_sndbuf = bufsize * 2;
+ smc->inet.sk.sk_sndbuf = bufsize * 2;
atomic_set(&conn->sndbuf_space, bufsize);
}
return 0;
@@ -2525,7 +2525,7 @@ int smcd_buf_attach(struct smc_sock *smc)
if (rc)
goto free;

- smc->sk.sk_sndbuf = buf_desc->len;
+ smc->inet.sk.sk_sndbuf = buf_desc->len;
buf_desc->cpu_addr =
(u8 *)buf_desc->cpu_addr + sizeof(struct smcd_cdc_msg);
buf_desc->len -= sizeof(struct smcd_cdc_msg);
diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c
index f0cbe77a80b4..f713d3180d67 100644
--- a/net/smc/smc_rx.c
+++ b/net/smc/smc_rx.c
@@ -60,7 +60,7 @@ static int smc_rx_update_consumer(struct smc_sock *smc,
union smc_host_cursor cons, size_t len)
{
struct smc_connection *conn = &smc->conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
bool force = false;
int diff, rc = 0;

@@ -117,7 +117,7 @@ static void smc_rx_pipe_buf_release(struct pipe_inode_info *pipe,
struct smc_spd_priv *priv = (struct smc_spd_priv *)buf->private;
struct smc_sock *smc = priv->smc;
struct smc_connection *conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;

if (sk->sk_state == SMC_CLOSED ||
sk->sk_state == SMC_PEERFINCLOSEWAIT ||
@@ -211,7 +211,7 @@ static int smc_rx_splice(struct pipe_inode_info *pipe, char *src, size_t len,

bytes = splice_to_pipe(pipe, &spd);
if (bytes > 0) {
- sock_hold(&smc->sk);
+ sock_hold(&smc->inet.sk);
if (!lgr->is_smcd && smc->conn.rmb_desc->is_vm) {
for (i = 0; i < PAGE_ALIGN(bytes + offset) / PAGE_SIZE; i++)
get_page(pages[i]);
@@ -259,7 +259,7 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo,
struct smc_connection *conn = &smc->conn;
struct smc_cdc_conn_state_flags *cflags =
&conn->local_tx_ctrl.conn_state_flags;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int rc;

if (fcrit(conn))
@@ -283,7 +283,7 @@ static int smc_rx_recv_urg(struct smc_sock *smc, struct msghdr *msg, int len,
{
struct smc_connection *conn = &smc->conn;
union smc_host_cursor cons;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
int rc = 0;

if (sock_flag(sk, SOCK_URGINLINE) ||
@@ -360,7 +360,7 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
if (unlikely(flags & MSG_ERRQUEUE))
return -EINVAL; /* future work for sk.sk_family == AF_SMC */

- sk = &smc->sk;
+ sk = &smc->inet.sk;
if (sk->sk_state == SMC_LISTEN)
return -ENOTCONN;
if (flags & MSG_OOB)
@@ -449,7 +449,7 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
if (splbytes)
smc_curs_add(conn->rmb_desc->len, &cons, splbytes);
if (conn->urg_state == SMC_URG_VALID &&
- sock_flag(&smc->sk, SOCK_URGINLINE) &&
+ sock_flag(&smc->inet.sk, SOCK_URGINLINE) &&
readable > 1)
readable--; /* always stop at urgent Byte */
/* not more than what user space asked for */
@@ -509,7 +509,7 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
/* Initialize receive properties on connection establishment. NB: not __init! */
void smc_rx_init(struct smc_sock *smc)
{
- smc->sk.sk_data_ready = smc_rx_wake_up;
+ smc->inet.sk.sk_data_ready = smc_rx_wake_up;
atomic_set(&smc->conn.splice_pending, 0);
smc->conn.urg_state = SMC_URG_READ;
}
diff --git a/net/smc/smc_stats.h b/net/smc/smc_stats.h
index e19177ce4092..baaac41a8974 100644
--- a/net/smc/smc_stats.h
+++ b/net/smc/smc_stats.h
@@ -108,7 +108,7 @@ while (0)
#define SMC_STAT_TX_PAYLOAD(_smc, length, rcode) \
do { \
typeof(_smc) __smc = _smc; \
- struct net *_net = sock_net(&__smc->sk); \
+ struct net *_net = sock_net(&__smc->inet.sk); \
struct smc_stats __percpu *_smc_stats = _net->smc.smc_stats; \
typeof(length) _len = (length); \
typeof(rcode) _rc = (rcode); \
@@ -123,7 +123,7 @@ while (0)
#define SMC_STAT_RX_PAYLOAD(_smc, length, rcode) \
do { \
typeof(_smc) __smc = _smc; \
- struct net *_net = sock_net(&__smc->sk); \
+ struct net *_net = sock_net(&__smc->inet.sk); \
struct smc_stats __percpu *_smc_stats = _net->smc.smc_stats; \
typeof(length) _len = (length); \
typeof(rcode) _rc = (rcode); \
@@ -154,7 +154,7 @@ while (0)

#define SMC_STAT_RMB_SIZE(_smc, _is_smcd, _is_rx, _len) \
do { \
- struct net *_net = sock_net(&(_smc)->sk); \
+ struct net *_net = sock_net(&(_smc)->inet.sk); \
struct smc_stats __percpu *_smc_stats = _net->smc.smc_stats; \
typeof(_is_smcd) is_d = (_is_smcd); \
typeof(_is_rx) is_r = (_is_rx); \
@@ -172,7 +172,7 @@ while (0)

#define SMC_STAT_RMB(_smc, type, _is_smcd, _is_rx) \
do { \
- struct net *net = sock_net(&(_smc)->sk); \
+ struct net *net = sock_net(&(_smc)->inet.sk); \
struct smc_stats __percpu *_smc_stats = net->smc.smc_stats; \
typeof(_is_smcd) is_d = (_is_smcd); \
typeof(_is_rx) is_r = (_is_rx); \
@@ -218,7 +218,7 @@ while (0)
do { \
typeof(_smc) __smc = _smc; \
bool is_smcd = !(__smc)->conn.lnk; \
- struct net *net = sock_net(&(__smc)->sk); \
+ struct net *net = sock_net(&(__smc)->inet.sk); \
struct smc_stats __percpu *smc_stats = net->smc.smc_stats; \
if ((is_smcd)) \
this_cpu_inc(smc_stats->smc[SMC_TYPE_D].type); \
diff --git a/net/smc/smc_tracepoint.h b/net/smc/smc_tracepoint.h
index a9a6e3c1113a..243fb8647cfe 100644
--- a/net/smc/smc_tracepoint.h
+++ b/net/smc/smc_tracepoint.h
@@ -27,7 +27,7 @@ TRACE_EVENT(smc_switch_to_fallback,
),

TP_fast_assign(
- const struct sock *sk = &smc->sk;
+ const struct sock *sk = &smc->inet.sk;
const struct sock *clcsk = smc->clcsock->sk;

__entry->sk = sk;
@@ -55,7 +55,7 @@ DECLARE_EVENT_CLASS(smc_msg_event,
),

TP_fast_assign(
- const struct sock *sk = &smc->sk;
+ const struct sock *sk = &smc->inet.sk;

__entry->smc = smc;
__entry->net_cookie = sock_net(sk)->net_cookie;
diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c
index 214ac3cbcf9a..29e780aee677 100644
--- a/net/smc/smc_tx.c
+++ b/net/smc/smc_tx.c
@@ -66,9 +66,9 @@ static void smc_tx_write_space(struct sock *sk)
*/
void smc_tx_sndbuf_nonfull(struct smc_sock *smc)
{
- if (smc->sk.sk_socket &&
- test_bit(SOCK_NOSPACE, &smc->sk.sk_socket->flags))
- smc->sk.sk_write_space(&smc->sk);
+ if (smc->inet.sk.sk_socket &&
+ test_bit(SOCK_NOSPACE, &smc->inet.sk.sk_socket->flags))
+ smc->inet.sk.sk_write_space(&smc->inet.sk);
}

/* blocks sndbuf producer until at least one byte of free space available
@@ -78,7 +78,7 @@ static int smc_tx_wait(struct smc_sock *smc, int flags)
{
DEFINE_WAIT_FUNC(wait, woken_wake_function);
struct smc_connection *conn = &smc->conn;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
long timeo;
int rc = 0;

@@ -148,7 +148,7 @@ static bool smc_should_autocork(struct smc_sock *smc)
int corking_size;

corking_size = min_t(unsigned int, conn->sndbuf_desc->len >> 1,
- sock_net(&smc->sk)->smc.sysctl_autocorking_size);
+ sock_net(&smc->inet.sk)->smc.sysctl_autocorking_size);

if (atomic_read(&conn->cdc_pend_tx_wr) == 0 ||
smc_tx_prepared_sends(conn) > corking_size)
@@ -184,7 +184,7 @@ int smc_tx_sendmsg(struct smc_sock *smc, struct msghdr *msg, size_t len)
size_t chunk_len, chunk_off, chunk_len_sum;
struct smc_connection *conn = &smc->conn;
union smc_host_cursor prep;
- struct sock *sk = &smc->sk;
+ struct sock *sk = &smc->inet.sk;
char *sndbuf_base;
int tx_cnt_prep;
int writespace;
@@ -211,8 +211,8 @@ int smc_tx_sendmsg(struct smc_sock *smc, struct msghdr *msg, size_t len)
SMC_STAT_INC(smc, urg_data_cnt);

while (msg_data_left(msg)) {
- if (smc->sk.sk_shutdown & SEND_SHUTDOWN ||
- (smc->sk.sk_err == ECONNABORTED) ||
+ if (smc->inet.sk.sk_shutdown & SEND_SHUTDOWN ||
+ (smc->inet.sk.sk_err == ECONNABORTED) ||
conn->killed)
return -EPIPE;
if (smc_cdc_rxed_any_close(conn))
@@ -562,8 +562,8 @@ static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn)
struct smc_sock *smc =
container_of(conn, struct smc_sock, conn);

- if (smc->sk.sk_err == ECONNABORTED)
- return sock_error(&smc->sk);
+ if (smc->inet.sk.sk_err == ECONNABORTED)
+ return sock_error(&smc->inet.sk);
if (conn->killed)
return -EPIPE;
rc = 0;
@@ -664,7 +664,7 @@ void smc_tx_pending(struct smc_connection *conn)
struct smc_sock *smc = container_of(conn, struct smc_sock, conn);
int rc;

- if (smc->sk.sk_err)
+ if (smc->inet.sk.sk_err)
return;

rc = smc_tx_sndbuf_nonempty(conn);
@@ -684,9 +684,9 @@ void smc_tx_work(struct work_struct *work)
tx_work);
struct smc_sock *smc = container_of(conn, struct smc_sock, conn);

- lock_sock(&smc->sk);
+ lock_sock(&smc->inet.sk);
smc_tx_pending(conn);
- release_sock(&smc->sk);
+ release_sock(&smc->inet.sk);
}

void smc_tx_consumer_update(struct smc_connection *conn, bool force)
@@ -730,5 +730,5 @@ void smc_tx_consumer_update(struct smc_connection *conn, bool force)
/* Initialize send properties on connection establishment. NB: not __init! */
void smc_tx_init(struct smc_sock *smc)
{
- smc->sk.sk_write_space = smc_tx_write_space;
+ smc->inet.sk.sk_write_space = smc_tx_write_space;
}
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in smc_diag_dump_proto

Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]
CPU: 0 UID: 0 PID: 6342 Comm: syz.0.53 Not tainted 6.11.0-syzkaller-07337-g2004cef11ea0-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217

Code: 80 3c 2c 00 74 08 48 89 df e8 e3 0e 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 b8 0e 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc90002f2eb00 EFLAGS: 00010a06
RAX: 1bd5a9d5a0000003 RBX: dead4ead00000018 RCX: ffff8880205c1e00

RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000

RBP: ffffc90002f2ef90 R08: ffffffff8999ab82 R09: 1ffff1100fa0900b
R10: dffffc0000000000 R11: ffffed100fa0900c R12: 1ffff1100fa090c5
R13: dffffc0000000000 R14: ffff88807d048000 R15: ffff888022a68010
FS: 00007f5b5848e6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f5b5848dfa8 CR3: 00000000279b8000 CR4: 00000000003506f0

RIP: 0033:0x7f5b57775f19

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f5b5848e048 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007f5b57906038 RCX: 00007f5b57775f19

RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003

RBP: 00007f5b577e4e68 R08: 0000000080000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f5b57906038 R15: 00007ffdbb5552f8

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]
RIP: 0010:__smc_diag_dump net/smc/smc_diag.c:89 [inline]
RIP: 0010:smc_diag_dump_proto+0x6d9/0x3270 net/smc/smc_diag.c:217

Code: 80 3c 2c 00 74 08 48 89 df e8 e3 0e 96 f6 48 89 5c 24 30 48 8b 1b 48 85 db 0f 84 2d 02 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 b8 0e 96 f6 48 8b 44 24 28 4c 8d
RSP: 0018:ffffc90002f2eb00 EFLAGS: 00010a06
RAX: 1bd5a9d5a0000003 RBX: dead4ead00000018 RCX: ffff8880205c1e00

RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000

RBP: ffffc90002f2ef90 R08: ffffffff8999ab82 R09: 1ffff1100fa0900b
R10: dffffc0000000000 R11: ffffed100fa0900c R12: 1ffff1100fa090c5
R13: dffffc0000000000 R14: ffff88807d048000 R15: ffff888022a68010
FS: 00007f5b5848e6c0(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f5b5848dfa8 CR3: 00000000279b8000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 80 3c 2c 00 cmpb $0x0,(%rsp,%rbp,1)
4: 74 08 je 0xe
6: 48 89 df mov %rbx,%rdi

9: e8 e3 0e 96 f6 call 0xf6960ef1

e: 48 89 5c 24 30 mov %rbx,0x30(%rsp)
13: 48 8b 1b mov (%rbx),%rbx
16: 48 85 db test %rbx,%rbx
19: 0f 84 2d 02 00 00 je 0x24c
1f: 48 83 c3 18 add $0x18,%rbx
23: 48 89 d8 mov %rbx,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi

34: e8 b8 0e 96 f6 call 0xf6960ef1

39: 48 8b 44 24 28 mov 0x28(%rsp),%rax
3e: 4c rex.WR
3f: 8d .byte 0x8d


Tested on:

commit: 2004cef1 Merge tag 'sched-core-2024-09-19' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1228b69f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=45ec9bead13b378d

dashboard link: https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=114ba607980000