CVE-2021-46925

27.02.2024, 10:15

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix kernel panic caused by race of smc_sock

A crash occurs when smc_cdc_tx_handler() tries to access smc_sock
but smc_release() has already freed it.

[ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88
[ 4570.696048] #PF: supervisor write access in kernel mode
[ 4570.696728] #PF: error_code(0x0002) - not-present page
[ 4570.697401] PGD 0 P4D 0
[ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI
[ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111
[ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0
[ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30
<...>
[ 4570.711446] Call Trace:
[ 4570.711746]  <IRQ>
[ 4570.711992]  smc_cdc_tx_handler+0x41/0xc0
[ 4570.712470]  smc_wr_tx_tasklet_fn+0x213/0x560
[ 4570.712981]  ? smc_cdc_tx_dismisser+0x10/0x10
[ 4570.713489]  tasklet_action_common.isra.17+0x66/0x140
[ 4570.714083]  __do_softirq+0x123/0x2f4
[ 4570.714521]  irq_exit_rcu+0xc4/0xf0
[ 4570.714934]  common_interrupt+0xba/0xe0

Though smc_cdc_tx_handler() checked the existence of smc connection,
smc_release() may have already dismissed and released the smc socket
before smc_cdc_tx_handler() further visits it.

smc_cdc_tx_handler()           |smc_release()
if (!conn)                     |
                               |
                               |smc_cdc_tx_dismiss_slots()
                               |      smc_cdc_tx_dismisser()
                               |
                               |sock_put(&smc->sk) <- last sock_put,
                               |                      smc_sock freed
bh_lock_sock(&smc->sk) (panic) |

To make sure we won't receive any CDC messages after we free the
smc_sock, add a refcount on the smc_connection for inflight CDC
message(posted to the QP but haven't received related CQE), and
don't release the smc_connection until all the inflight CDC messages
haven been done, for both success or failed ones.

Using refcount on CDC messages brings another problem: when the link
is going to be destroyed, smcr_link_clear() will reset the QP, which
then remove all the pending CQEs related to the QP in the CQ. To make
sure all the CQEs will always come back so the refcount on the
smc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced
by smc_ib_modify_qp_error().
And remove the timeout in smc_wr_tx_wait_no_pending_sends() since we
need to wait for all pending WQEs done, or we may encounter use-after-
free when handling CQEs.

For IB device removal routine, we need to wait for all the QPs on that
device been destroyed before we can destroy CQs on the device, or
the refcount on smc_connection won't reach 0 and smc_sock cannot be
released.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Linux	CNA	---				---
CISA-ADP	ADP	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Vendor	Product	Version
linux	linux_kernel	4.11.0 ≤ 𝑥 < 5.10.90
linux	linux_kernel	5.11.0 ≤ 𝑥 < 5.15.13

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
trixie	6.11.5-1 fixed
sid	6.11.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

noble	not-affected
mantic	not-affected
jammy	not-affected
focal	needed
bionic	ignored
xenial	not-affected
trusty	not-affected

linux-allwinner-5.19

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws

noble	not-affected
mantic	not-affected
jammy	not-affected
focal	needed
bionic	ignored
xenial	not-affected
trusty	not-affected

linux-aws-5.0

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-aws-5.11

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.13

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.19

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-5.3

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-aws-5.4

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-aws-5.8

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-aws-6.2

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-fips

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-aws-hwe

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	dne
xenial	ignored
trusty	dne

linux-azure

noble	not-affected
mantic	not-affected
jammy	not-affected
focal	needed
bionic	ignored
xenial	ignored
trusty	ignored

linux-azure-4.15

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-azure-5.11

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.13

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.19

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-5.3

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-azure-5.4

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-azure-5.8

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-6.2

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-edge

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-azure-fde

noble	dne
mantic	dne
jammy	not-affected
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-azure-fde-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-azure-fde-5.19

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-fde-6.2

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-azure-fips

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-bluefield

noble	dne
mantic	dne
jammy	dne
focal	needed
bionic	dne
xenial	dne
trusty	dne

linux-dell300x

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-fips

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	dne
xenial	ignored
trusty	ignored

linux-gcp

noble	not-affected
mantic	not-affected
jammy	not-affected
focal	needed
bionic	ignored
xenial	ignored
trusty	dne

linux-gcp-4.15

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gcp-5.11

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.13

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.19

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-5.3

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gcp-5.4

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gcp-5.8

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gcp-6.2

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gcp-fips

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-gke

noble	not-affected
mantic	dne
jammy	not-affected
focal	ignored
bionic	dne
xenial	ignored
trusty	dne

linux-gke-4.15

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gke-5.0

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gke-5.15

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-gke-5.3

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gke-5.4

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-gkeop

noble	dne
mantic	dne
jammy	not-affected
focal	needed
bionic	dne
xenial	dne
trusty	dne

linux-gkeop-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-gkeop-5.4

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-hwe

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-hwe-5.11

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.13

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.19

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-5.4

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-hwe-5.8

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-hwe-6.2

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-edge

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-ibm

noble	not-affected
mantic	ignored
jammy	not-affected
focal	needed
bionic	dne
xenial	dne
trusty	dne

linux-ibm-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-ibm-5.4

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-intel

noble	not-affected
mantic	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-5.13

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-intel-iot-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-iot

noble	dne
mantic	dne
jammy	dne
focal	needed
bionic	dne
xenial	dne
trusty	dne

linux-kvm

noble	dne
mantic	dne
jammy	not-affected
focal	needed
bionic	ignored
xenial	not-affected
trusty	dne

linux-laptop

noble	dne
mantic	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency

noble	not-affected
mantic	not-affected
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-5.19

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-6.2

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lowlatency-hwe-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lts-xenial

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	not-affected

linux-nvidia

noble	not-affected
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-6.2

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-lowlatency

noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-oem-5.10

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.13

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.14

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.17

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-5.6

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.0

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.1

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-6.8

noble	not-affected
mantic	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem-osp1

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-oracle

noble	not-affected
mantic	not-affected
jammy	not-affected
focal	needed
bionic	ignored
xenial	ignored
trusty	dne

linux-oracle-5.0

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-oracle-5.11

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oracle-5.13

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oracle-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-oracle-5.3

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-oracle-5.4

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-oracle-5.8

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-oracle-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi

noble	not-affected
mantic	not-affected
jammy	not-affected
focal	needed
bionic	dne
xenial	dne
trusty	dne

linux-raspi-5.4

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-raspi-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi2

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	ignored
xenial	ignored
trusty	dne

linux-raspi2-5.3

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

linux-realtime

noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv

noble	not-affected
mantic	not-affected
jammy	ignored
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.11

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.15

noble	dne
mantic	dne
jammy	dne
focal	not-affected
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.19

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv-5.8

noble	dne
mantic	dne
jammy	dne
focal	ignored
bionic	dne
xenial	dne
trusty	dne

linux-riscv-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-snapdragon

noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored
trusty	dne

linux-starfive

noble	dne
mantic	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-5.19

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-6.2

noble	dne
mantic	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-6.5

noble	dne
mantic	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-xilinx-zynqmp

noble	dne
mantic	dne
jammy	not-affected
focal	needed
bionic	dne
xenial	dne
trusty	dne

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://git.kernel.org/stable/c/349d43127dac00c15231e8ffbcaabd70f7b0e544

https://git.kernel.org/stable/c/b85f751d71ae8e2a15e9bda98852ea9af35282eb

https://git.kernel.org/stable/c/e8a5988a85c719ce7205cb00dcf0716dcf611332

https://git.kernel.org/stable/c/349d43127dac00c15231e8ffbcaabd70f7b0e544

https://git.kernel.org/stable/c/b85f751d71ae8e2a15e9bda98852ea9af35282eb

https://git.kernel.org/stable/c/e8a5988a85c719ce7205cb00dcf0716dcf611332