Jeongjun Park wrote:
>
> Since smc_inet6_prot does not initialize ipv6_pinfo_offset, inet6_create()
> copies an incorrect address value, sk + 0 (offset), to inet_sk(sk)->pinet6.
>
> To solve this, you need to create a smc6_sock struct and add code to
> smc_inet6_prot to initialize ipv6_pinfo_offset.
>
> Reported-by: syzkaller <syzkaller@xxxxxxxxxxxxxxxx>
> Fixes: d25a92ccae6b ("net/smc: Introduce IPPROTO_SMC")
> Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx>
> ---
> net/smc/smc_inet.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/net/smc/smc_inet.c b/net/smc/smc_inet.c
> index bece346dd8e9..26587a1b8c56 100644
> --- a/net/smc/smc_inet.c
> +++ b/net/smc/smc_inet.c
> @@ -60,6 +60,11 @@ static struct inet_protosw smc_inet_protosw = {
> };
>
> #if IS_ENABLED(CONFIG_IPV6)
> +struct smc6_sock {
> + struct smc_sock smc;
> + struct ipv6_pinfo inet6;
> +};
> +
> static struct proto smc_inet6_prot = {
> .name = "INET6_SMC",
> .owner = THIS_MODULE,
> @@ -67,9 +72,10 @@ static struct proto smc_inet6_prot = {
> .hash = smc_hash_sk,
> .unhash = smc_unhash_sk,
> .release_cb = smc_release_cb,
> - .obj_size = sizeof(struct smc_sock),
> + .obj_size = sizeof(struct smc6_sock),
> .h.smc_hash = &smc_v6_hashinfo,
> .slab_flags = SLAB_TYPESAFE_BY_RCU,
> + .ipv6_pinfo_offset = offsetof(struct smc6_sock, inet6);
> };
Oh, I didn't check for typos properly. I'll fix the typos and send you
a new patch tomorrow.
>
> static const struct proto_ops smc_inet6_stream_ops = {
> --
