CVE-2022-48909

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix connection leak<br /> <br /> There&amp;#39;s a potential leak issue under following execution sequence :<br /> <br /> smc_release smc_connect_work<br /> if (sk-&gt;sk_state == SMC_INIT)<br /> send_clc_confirim<br /> tcp_abort();<br /> ...<br /> sk.sk_state = SMC_ACTIVE<br /> smc_close_active<br /> switch(sk-&gt;sk_state) {<br /> ...<br /> case SMC_ACTIVE:<br /> smc_close_final()<br /> // then wait peer closed<br /> <br /> Unfortunately, tcp_abort() may discard CLC CONFIRM messages that are<br /> still in the tcp send buffer, in which case our connection token cannot<br /> be delivered to the server side, which means that we cannot get a<br /> passive close message at all. Therefore, it is impossible for the to be<br /> disconnected at all.<br /> <br /> This patch tries a very simple way to avoid this issue, once the state<br /> has changed to SMC_ACTIVE after tcp_abort(), we can actively abort the<br /> smc connection, considering that the state is SMC_INIT before<br /> tcp_abort(), abandoning the complete disconnection process should not<br /> cause too much problem.<br /> <br /> In fact, this problem may exist as long as the CLC CONFIRM message is<br /> not received by the server. Whether a timer should be added after<br /> smc_close_final() needs to be discussed in the future. But even so, this<br /> patch provides a faster release for connection in above case, it should<br /> also be valuable.