Jeongjun Park wrote: > > Since smc_inet6_prot does not initialize ipv6_pinfo_offset, inet6_create() > copies an incorrect address value, sk + 0 (offset), to inet_sk(sk)->pinet6. > > To solve this, you need to create a smc6_sock struct and add code to > smc_inet6_prot to initialize ipv6_pinfo_offset. > > Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx> > Fixes: d25a92ccae6b ("net/smc: Introduce IPPROTO_SMC") > Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx> > --- > net/smc/smc_inet.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c > index bece346dd8e9..26587a1b8c56 100644 > --- a/net/smc/smc_inet.c > +++ b/net/smc/smc_inet.c > @@ -60,6 +60,11 @@ static struct inet_protosw smc_inet_protosw = { > }; > > #if IS_ENABLED(CONFIG_IPV6) > +struct smc6_sock { > + struct smc_sock smc; > + struct ipv6_pinfo inet6; > +}; > + > static struct proto smc_inet6_prot = { > .name = "INET6_SMC", > .owner = THIS_MODULE, > @@ -67,9 +72,10 @@ static struct proto smc_inet6_prot = { > .hash = smc_hash_sk, > .unhash = smc_unhash_sk, > .release_cb = smc_release_cb, > - .obj_size = sizeof(struct smc_sock), > + .obj_size = sizeof(struct smc6_sock), > .h.smc_hash = &smc_v6_hashinfo, > .slab_flags = SLAB_TYPESAFE_BY_RCU, > + .ipv6_pinfo_offset = offsetof(struct smc6_sock, inet6); > }; Oh, I didn't check for typos properly. I'll fix the typos and send you a new patch tomorrow. > > static const struct proto_ops smc_inet6_stream_ops = { > --