CVE-2023-53110

Summary

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()

When performing a stress test on SMC-R by rmmod mlx5_ib driver during the wrk/nginx test, we found that there is a probability of triggering a panic while terminating all link groups.

This issue dues to the race between smc_smcr_terminate_all() and smc_buf_create().

		smc_smcr_terminate_all

smc_buf_create /* init */ conn->sndbuf_desc = NULL; …

		__smc_lgr_terminate
			smc_conn_kill
				smc_close_abort
					smc_cdc_get_slot_and_msg_send

		__softirqentry_text_start
			smc_wr_tx_process_cqe
				smc_cdc_tx_handler
					READ(conn->sndbuf_desc->len);
					/* panic dues to NULL sndbuf_desc */

conn->sndbuf_desc = xxx;

This patch tries to fix the issue by always to check the sndbuf_desc before send any cdc msg, to make sure that no null pointer is seen during cqe processing.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux0b29ec6436138721acf5844e558f7334a0fa61d5 < 31817c530768b0199771ec6019571b4f0ddbf230affected
LinuxLinux0b29ec6436138721acf5844e558f7334a0fa61d5 < b108bd9e6be000492ebebe867daa699285978a10affected
LinuxLinux0b29ec6436138721acf5844e558f7334a0fa61d5 < 3c270435db8aa34929263dddae8fd050f5216ecbaffected
LinuxLinux0b29ec6436138721acf5844e558f7334a0fa61d5 < 3ebac7cf0a184a8102821a7a00203f02bebda83caffected
LinuxLinux0b29ec6436138721acf5844e558f7334a0fa61d5 < 22a825c541d775c1dbe7b2402786025acad6727baffected
LinuxLinux5.5affected
LinuxLinux0 < 5.5unaffected
LinuxLinux5.10.176 <= 5.10.*unaffected
LinuxLinux5.15.104 <= 5.15.*unaffected
LinuxLinux6.1.21 <= 6.1.*unaffected
LinuxLinux6.2.8 <= 6.2.*unaffected
LinuxLinux6.3 <= *unaffected

Weaknesses

References