| The Linux kernel has a vulnerability in the SMC (Shared Memory Communications) protocol, specifically in the `smc_cdc_tx_handler()` function. This function can cause a kernel panic when it tries to access the `smc_sock` structure after it has been freed by `smc_release()`. This race condition occurs because `smc_cdc_tx_handler()` checks for the existence of an SMC connection, but `smc_release()` may have already dismissed and released the socket before `smc_cdc_tx_handler()` accesses it. |
| |
| To fix this issue, a reference count was added to the `smc_connection` structure to track in-flight CDC messages. This ensures that the `smc_sock` is not released until all pending CDC messages are completed or failed. Additionally, changes were made to the IB (InfiniBand) device removal routine to wait for all QPs (Queue Pairs) on a device to be destroyed before destroying CQs (Completion Queues) on that device. |
| |
| This vulnerability was introduced in Linux kernel version 4.11 and fixed in versions 5.10.90, 5.15.13, and 5.16. The affected files are `net/smc/*`. The recommended mitigation is to update to the latest stable kernel version. Individual patches can be found at the specified commits if updating to the latest release is not possible. |
| |
