CVE-2023-53110

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()<br /> <br /> When performing a stress test on SMC-R by rmmod mlx5_ib driver<br /> during the wrk/nginx test, we found that there is a probability<br /> of triggering a panic while terminating all link groups.<br /> <br /> This issue dues to the race between smc_smcr_terminate_all()<br /> and smc_buf_create().<br /> <br /> smc_smcr_terminate_all<br /> <br /> smc_buf_create<br /> /* init */<br /> conn-&gt;sndbuf_desc = NULL;<br /> ...<br /> <br /> __smc_lgr_terminate<br /> smc_conn_kill<br /> smc_close_abort<br /> smc_cdc_get_slot_and_msg_send<br /> <br /> __softirqentry_text_start<br /> smc_wr_tx_process_cqe<br /> smc_cdc_tx_handler<br /> READ(conn-&gt;sndbuf_desc-&gt;len);<br /> /* panic dues to NULL sndbuf_desc */<br /> <br /> conn-&gt;sndbuf_desc = xxx;<br /> <br /> This patch tries to fix the issue by always to check the sndbuf_desc<br /> before send any cdc msg, to make sure that no null pointer is<br /> seen during cqe processing.