On 17.12.25 16:25, Dust Li wrote:
On 2025-12-17 12:48:19, Alexandra Winter wrote:
During initialisation of the SMC module initialize smc_v4/6_hashinfo before calling smc_nl_init(), proto_register() or sock_register(), to avoid a race that can cause use of an uninitialised pointer in case an smc protocol is called before the module is done initialising.
syzbot report: KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] Call Trace:
<TASK> smc_diag_dump+0x59/0xa0 net/smc/smc_diag.c:236 netlink_dump+0x647/0xd80 net/netlink/af_netlink.c:2325 __netlink_dump_start+0x59f/0x780 net/netlink/af_netlink.c:2440 netlink_dump_start include/linux/netlink.h:339 [inline] smc_diag_handler_dump+0x1ab/0x250 net/smc/smc_diag.c:251 sock_diag_rcv_msg+0x3dc/0x5f0 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x7f0/0x990 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901
I don't think this is related to smc_nl_init().
Here the calltrace is smc_diag_dump(), which was registered in sock_diag_register(&smc_diag_handler).
But smc_nl_init() is registering the general netlink in SMC, which is unrelated to smc_diag_dump().
I had assumed some dependency between the smc netlink diag socket and smc_nl_init() and wrongly assumed that the smc_diag_init() and smc_init() could race. I now understand that modprobe will ensure smc_diag_init() is called before smc_init(), so you are right: this patch is indeed NOT a fix for this sysbot report [1]
I think the root cause should be related to the initializing between smc_diag.ko and smc_v4/6_hashinfo.ht.
Given modprobe initializes the modules sequentially, I do not see how these could race.
I guess this syszbot report was fixed by f584239a9ed2 ("net/smc: fix general protection fault in __smc_diag_dump") as reported in [2] .
I'm not sure about the correct procedure, if nobody recommends a better action, I'll send a
#syz dup: general protection fault in __smc_diag_dump to syzbot+f69bfae0a4eb29976e44@syzkaller.appspotmail.com (this one: general protection fault in smc_diag_dump_proto [1])
I still think initializing the hashtables before smc_nl_init() makes sense. I'll resend this patch without mentioning syzbot.
----- [1] https://syzkaller.appspot.com/bug?extid=f69bfae0a4eb29976e44 [2] https://syzkaller.appspot.com/bug?extid=f775be4458668f7d220e