CVE-2024-56640

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix LGR and link use-after-free issue<br /> <br /> We encountered a LGR/link use-after-free issue, which manifested as<br /> the LGR/link refcnt reaching 0 early and entering the clear process,<br /> making resource access unsafe.<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140<br /> Workqueue: events smc_lgr_terminate_work [smc]<br /> Call trace:<br /> refcount_warn_saturate+0x9c/0x140<br /> __smc_lgr_terminate.part.45+0x2a8/0x370 [smc]<br /> smc_lgr_terminate_work+0x28/0x30 [smc]<br /> process_one_work+0x1b8/0x420<br /> worker_thread+0x158/0x510<br /> kthread+0x114/0x118<br /> <br /> or<br /> <br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140<br /> Workqueue: smc_hs_wq smc_listen_work [smc]<br /> Call trace:<br /> refcount_warn_saturate+0xf0/0x140<br /> smcr_link_put+0x1cc/0x1d8 [smc]<br /> smc_conn_free+0x110/0x1b0 [smc]<br /> smc_conn_abort+0x50/0x60 [smc]<br /> smc_listen_find_device+0x75c/0x790 [smc]<br /> smc_listen_work+0x368/0x8a0 [smc]<br /> process_one_work+0x1b8/0x420<br /> worker_thread+0x158/0x510<br /> kthread+0x114/0x118<br /> <br /> It is caused by repeated release of LGR/link refcnt. One suspect is that<br /> smc_conn_free() is called repeatedly because some smc_conn_free() from<br /> server listening path are not protected by sock lock.<br /> <br /> e.g.<br /> <br /> Calls under socklock | smc_listen_work<br /> -------------------------------------------------------<br /> lock_sock(sk) | smc_conn_abort<br /> smc_conn_free | \- smc_conn_free<br /> \- smcr_link_put | \- smcr_link_put (duplicated)<br /> release_sock(sk)<br /> <br /> So here add sock lock protection in smc_listen_work() path, making it<br /> exclusive with other connection operations.