net/smc: fix kernel panic caused by race of smc_sock
A crash occurs when smc_cdc_tx_handler() tries to access smc_sock but smc_release() has already freed it. [ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88 [ 4570.696048] #PF: supervisor write access in kernel mode [ 4570.696728] #PF: error_code(0x0002) - not-present page [ 4570.697401] PGD 0 P4D 0 [ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI [ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111 [ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0 [ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30 <...> [ 4570.711446] Call Trace: [ 4570.711746] <IRQ> [ 4570.711992] smc_cdc_tx_handler+0x41/0xc0 [ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560 [ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10 [ 4570.713489] tasklet_action_common.isra.17+0x66/0x140 [ 4570.714083] __do_softirq+0x123/0x2f4 [ 4570.714521] irq_exit_rcu+0xc4/0xf0 [ 4570.714934] common_interrupt+0xba/0xe0 Thoug...
Showing
- net/smc/smc.h 5 additions, 0 deletionsnet/smc/smc.h
- net/smc/smc_cdc.c 24 additions, 28 deletionsnet/smc/smc_cdc.c
- net/smc/smc_cdc.h 1 addition, 1 deletionnet/smc/smc_cdc.h
- net/smc/smc_core.c 20 additions, 5 deletionsnet/smc/smc_core.c
- net/smc/smc_ib.c 2 additions, 2 deletionsnet/smc/smc_ib.c
- net/smc/smc_ib.h 1 addition, 0 deletionsnet/smc/smc_ib.h
- net/smc/smc_wr.c 3 additions, 38 deletionsnet/smc/smc_wr.c
- net/smc/smc_wr.h 1 addition, 2 deletionsnet/smc/smc_wr.h
Please register or sign in to comment