CVE-2024-56640: net/smc: fix LGR and link use-after-free issue
First published: Fri Dec 27 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix LGR and link use-after-free issue We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 __smc_lgr_terminate.part.45+0x2a8/0x370 [smc] smc_lgr_terminate_work+0x28/0x30 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 or refcount_t: underflow; use-after-free. WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140 Workqueue: smc_hs_wq smc_listen_work [smc] Call trace: refcount_warn_saturate+0xf0/0x140 smcr_link_put+0x1cc/0x1d8 [smc] smc_conn_free+0x110/0x1b0 [smc] smc_conn_abort+0x50/0x60 [smc] smc_listen_find_device+0x75c/0x790 [smc] smc_listen_work+0x368/0x8a0 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 It is caused by repeated release of LGR/link refcnt. One suspect is that smc_conn_free() is called repeatedly because some smc_conn_free() from server listening path are not protected by sock lock. e.g. Calls under socklock | smc_listen_work ------------------------------------------------------- lock_sock(sk) | smc_conn_abort smc_conn_free | \- smc_conn_free \- smcr_link_put | \- smcr_link_put (duplicated) release_sock(sk) So here add sock lock protection in smc_listen_work() path, making it exclusive with other connection operations.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | >=4.18<5.15.174 | |
| Linux Linux kernel | >=5.16<6.1.120 | |
| Linux Linux kernel | >=6.2<6.6.66 | |
| Linux Linux kernel | >=6.7<6.12.5 | |
| Linux Linux kernel | =6.13-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/f502a88fdd415647a1f2dc45fac71b9c522a052b
- https://git.kernel.org/stable/c/0cf598548a6c36d90681d53c6b77d52363f2f295
- https://git.kernel.org/stable/c/673d606683ac70bc074ca6676b938bff18635226
- https://git.kernel.org/stable/c/6f0ae06a234a78ae137064f2c89135ac078a00eb
- https://git.kernel.org/stable/c/2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/tags
- agent/softwarecombine
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/4.18
- version/linux linux kernel/5.16
- version/linux linux kernel/6.2
- version/linux linux kernel/6.7
- version/linux linux kernel/6.13-rc1