Re: [PATCH] net/smc: fix NULL pointer dereference in smc_tcp_syn_recv_sock

Next message: Philipp Zabel: "Re: [PATCH] drm/imx: parallel-display: add DRM_DISPLAY_HELPER for DRM_IMX_PARALLEL_DISPLAY"
Previous message: Qais Yousef: "Re: [PATCH v1] sched: idle: Consolidate the handling of two special cases"
In reply to: bsdhenrymartin: "[PATCH] net/smc: fix NULL pointer dereference in smc_tcp_syn_recv_sock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Fri Mar 13 2026 - 11:39:37 EST

On Fri, Mar 13, 2026 at 4:16 PM <bsdhenrymartin@xxxxxxxxx> wrote:
>
> From: Henry Martin <bsdhenrymartin@xxxxxxxxx>
>
> smc_tcp_syn_recv_sock() gets the SMC listener through
> smc_clcsock_user_data(sk), but then dereferences it unconditionally.
>
> During concurrent teardown, sk_user_data can already be cleared while the
> hooked syn_recv_sock path is still reached, leaving smc as NULL. This
> causes a NULL pointer dereference at atomic_read(&smc->queued_smc_hs).

https://lkml.org/lkml/2026/3/11/173