Memory safety: NULL pointer dereference
Description
The flaw occurs in net/smc/smc_clc_wait_msg where, during an early handshake, a CLC decline with FIRST_CONTACT could be processed without guaranteeing that a link-group context (smc->conn.lgr) exists. The existing code path could dereference smc->conn.lgr when it is NULL, causing a NULL pointer dereference (memory safety crash). The patch adds a guard to ensure smc->conn.lgr is non-NULL before touching lgr state (sync_err and termination), fixing the NULL pointer dereference vulnerability.
Commit Details
Author: Ruijie Li
Date: 2026-04-22 15:40 UTC
Message:
net/smc: avoid early lgr access in smc_clc_wait_msg
A CLC decline can be received while the handshake is still in an early
stage, before the connection has been associated with a link group.
The decline handling in smc_clc_wait_msg() updates link-group level sync
state for first-contact declines, but that state only exists after link
group setup has completed. Guard the link-group update accordingly and
keep the per-socket peer diagnosis handling unchanged.
This preserves the existing sync_err handling for established link-group
contexts and avoids touching link-group state before it is available.
Fixes: 0cfdd8f92cac ("smc: connection and link group creation")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Link: https://patch.msgid.link/08c68a5c817acf198cce63d22517e232e8d60718.1776850759.git.ruijieli51@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Triage Assessment
Vulnerability Type: Memory safety: NULL pointer dereference
Confidence: HIGH
Reasoning:
The patch guards against touching the link-group state (smc->conn.lgr) during an early handshake when the link-group may not yet be established. The previous code could dereference a NULL or uninitialized lgr, leading to a crash or memory safety issue. By ensuring lgr exists before updating sync_err, it fixes a memory-safety issue (NULL pointer dereference) that could be exploited via a crash or instability, which has security implications.
Verification Assessment
Vulnerability Type: Memory safety: NULL pointer dereference
Confidence: HIGH
Affected Versions: v7.0-rc5 and earlier (i.e., before this commit in the 7.0-rc series)
Code Diff
diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index c38fc7bf0a7efb..014d527d5462db 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -788,8 +788,8 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen,
dclc = (struct smc_clc_msg_decline *)clcm;
reason_code = SMC_CLC_DECL_PEERDECL;
smc->peer_diagnosis = ntohl(dclc->peer_diagnosis);
- if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 &
- SMC_FIRST_CONTACT_MASK) {
+ if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) &&
+ smc->conn.lgr) {
smc->conn.lgr->sync_err = 1;
smc_lgr_terminate_sched(smc->conn.lgr);
}