CVE-2025-40357

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix general protection fault in __smc_diag_dump<br /> <br /> The syzbot report a crash:<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI<br /> KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]<br /> CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025<br /> RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]<br /> RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89<br /> Call Trace:<br /> <br /> smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217<br /> smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234<br /> netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327<br /> __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442<br /> netlink_dump_start include/linux/netlink.h:341 [inline]<br /> smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251<br /> __sock_diag_cmd net/core/sock_diag.c:249 [inline]<br /> sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285<br /> netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]<br /> netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346<br /> netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> __sock_sendmsg net/socket.c:729 [inline]<br /> ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614<br /> ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668<br /> __sys_sendmsg+0x16d/0x220 net/socket.c:2700<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> The process like this:<br /> <br /> (CPU1) | (CPU2)<br /> ---------------------------------|-------------------------------<br /> inet_create() |<br /> // init clcsock to NULL |<br /> sk = sk_alloc() |<br /> |<br /> // unexpectedly change clcsock |<br /> inet_init_csk_locks() |<br /> |<br /> // add sk to hash table |<br /> smc_inet_init_sock() |<br /> smc_sk_init() |<br /> smc_hash_sk() |<br /> | // traverse the hash table<br /> | smc_diag_dump_proto<br /> | __smc_diag_dump()<br /> | // visit wrong clcsock<br /> | smc_diag_msg_common_fill()<br /> // alloc clcsock |<br /> smc_create_clcsk |<br /> sock_create_kern |<br /> <br /> With CONFIG_DEBUG_LOCK_ALLOC=y, the smc-&gt;clcsock is unexpectedly changed<br /> in inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,<br /> just remove it.<br /> <br /> After removing the INET_PROTOSW_ICSK flag, this patch alse revert<br /> commit 6fd27ea183c2 ("net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC")<br /> to avoid casting smc_sock to inet_connection_sock.