CVE-2021-46925

EUVD-2021-33573

27.02.2024, 10:15

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix kernel panic caused by race of smc_sock

A crash occurs when smc_cdc_tx_handler() tries to access smc_sock
but smc_release() has already freed it.

[ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88
[ 4570.696048] #PF: supervisor write access in kernel mode
[ 4570.696728] #PF: error_code(0x0002) - not-present page
[ 4570.697401] PGD 0 P4D 0
[ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI
[ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111
[ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0
[ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30
<...>
[ 4570.711446] Call Trace:
[ 4570.711746]  <IRQ>
[ 4570.711992]  smc_cdc_tx_handler+0x41/0xc0
[ 4570.712470]  smc_wr_tx_tasklet_fn+0x213/0x560
[ 4570.712981]  ? smc_cdc_tx_dismisser+0x10/0x10
[ 4570.713489]  tasklet_action_common.isra.17+0x66/0x140
[ 4570.714083]  __do_softirq+0x123/0x2f4
[ 4570.714521]  irq_exit_rcu+0xc4/0xf0
[ 4570.714934]  common_interrupt+0xba/0xe0

Though smc_cdc_tx_handler() checked the existence of smc connection,
smc_release() may have already dismissed and released the smc socket
before smc_cdc_tx_handler() further visits it.

smc_cdc_tx_handler()           |smc_release()
if (!conn)                     |
                               |
                               |smc_cdc_tx_dismiss_slots()
                               |      smc_cdc_tx_dismisser()
                               |
                               |sock_put(&smc->sk) <- last sock_put,
                               |                      smc_sock freed
bh_lock_sock(&smc->sk) (panic) |

To make sure we won't receive any CDC messages after we free the
smc_sock, add a refcount on the smc_connection for inflight CDC
message(posted to the QP but haven't received related CQE), and
don't release the smc_connection until all the inflight CDC messages
haven been done, for both success or failed ones.

Using refcount on CDC messages brings another problem: when the link
is going to be destroyed, smcr_link_clear() will reset the QP, which
then remove all the pending CQEs related to the QP in the CQ. To make
sure all the CQEs will always come back so the refcount on the
smc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced
by smc_ib_modify_qp_error().
And remove the timeout in smc_wr_tx_wait_no_pending_sends() since we
need to wait for all pending WQEs done, or we may encounter use-after-
free when handling CQEs.

For IB device removal routine, we need to wait for all the QPs on that
device been destroyed before we can destroy CQs on the device, or
the refcount on smc_connection won't reach 0 and smc_sock cannot be
released.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.11.0 ≤ 𝑥 < 5.10.90
linux	linux_kernel	5.11.0 ≤ 𝑥 < 5.15.13

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
sid	6.11.6-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	ignored
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-allwinner-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws

bionic	ignored
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-fips

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-aws-hwe

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	ignored

linux-azure

bionic	ignored
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	ignored
xenial	ignored

linux-azure-4.15

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-fde

bionic	dne
focal	ignored
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-fde-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-fde-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-fde-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-azure-fips

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-bluefield

bionic	dne
focal	needed
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-dell300x

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-fips

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	ignored
xenial	ignored

linux-gcp

bionic	ignored
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	dne
xenial	ignored

linux-gcp-4.15

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gcp-fips

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gke

bionic	dne
focal	ignored
jammy	not-affected
mantic	dne
noble	not-affected
trusty	dne
xenial	ignored

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gke-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gke-5.15

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gke-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gkeop

bionic	dne
focal	needed
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gkeop-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-hwe

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	ignored

linux-hwe-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-hwe-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-hwe-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-hwe-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-hwe-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-hwe-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-hwe-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-hwe-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	ignored

linux-ibm

bionic	dne
focal	needed
jammy	not-affected
mantic	ignored
noble	not-affected
trusty	dne
xenial	dne

linux-ibm-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-ibm-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-intel

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	not-affected
trusty	dne
xenial	dne

linux-intel-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-intel-iot-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-intel-iotg

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-intel-iotg-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-iot

bionic	dne
focal	needed
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-kvm

bionic	ignored
focal	needed
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	not-affected

linux-laptop

bionic	dne
focal	dne
jammy	dne
mantic	not-affected
noble	dne
trusty	dne
xenial	dne

linux-lowlatency

bionic	dne
focal	dne
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	dne
xenial	dne

linux-lowlatency-hwe-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-lowlatency-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-lts-xenial

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	not-affected
xenial	dne

linux-nvidia

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	not-affected
trusty	dne
xenial	dne

linux-nvidia-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-nvidia-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-nvidia-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-nvidia-lowlatency

bionic	dne
focal	dne
jammy	dne
noble	not-affected
trusty	dne
xenial	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	ignored

linux-oem-5.10

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oem-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oem-5.14

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oem-5.17

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oem-5.6

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oem-6.0

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oem-6.1

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oem-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oem-6.8

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	not-affected
trusty	dne
xenial	dne

linux-oem-osp1

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oracle

bionic	ignored
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	dne
xenial	ignored

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oracle-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oracle-5.13

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oracle-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oracle-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oracle-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-oracle-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-raspi

bionic	dne
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	dne
xenial	dne

linux-raspi-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-raspi-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-raspi2

bionic	ignored
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	ignored

linux-raspi2-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-realtime

bionic	dne
focal	dne
jammy	ignored
noble	dne
trusty	dne
xenial	dne

linux-riscv

bionic	dne
focal	ignored
jammy	ignored
mantic	not-affected
noble	not-affected
trusty	dne
xenial	dne

linux-riscv-5.11

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-riscv-5.15

bionic	dne
focal	not-affected
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-riscv-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-riscv-5.8

bionic	dne
focal	ignored
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-riscv-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-riscv-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-snapdragon

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	dne
xenial	ignored

linux-starfive

bionic	dne
focal	dne
jammy	dne
mantic	not-affected
noble	dne
trusty	dne
xenial	dne

linux-starfive-5.19

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-starfive-6.2

bionic	dne
focal	dne
jammy	ignored
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-starfive-6.5

bionic	dne
focal	dne
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

linux-xilinx-zynqmp

bionic	dne
focal	needed
jammy	not-affected
mantic	dne
noble	dne
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://git.kernel.org/stable/c/349d43127dac00c15231e8ffbcaabd70f7b0e544

https://git.kernel.org/stable/c/b85f751d71ae8e2a15e9bda98852ea9af35282eb

https://git.kernel.org/stable/c/e8a5988a85c719ce7205cb00dcf0716dcf611332

https://git.kernel.org/stable/c/349d43127dac00c15231e8ffbcaabd70f7b0e544

https://git.kernel.org/stable/c/b85f751d71ae8e2a15e9bda98852ea9af35282eb

https://git.kernel.org/stable/c/e8a5988a85c719ce7205cb00dcf0716dcf611332