Acknowledged
Created: Sep 7, 2025
Updated: Sep 8, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net/smc: fix UAF on smcsk after smc_listen_out()[EOL][EOL]BPF CI testing report a UAF issue:[EOL][EOL] [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0[EOL] [ 16.447134] #PF: supervisor read access in kernel mod e[EOL] [ 16.447516] #PF: error_code(0x0000) - not-present pag e[EOL] [ 16.447878] PGD 0 P4D 0[EOL] [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I[EOL] [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda73-dirty #4 2[EOL] [ 16.449124] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODUL E[EOL] [ 16.449502] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/201 4[EOL] [ 16.450201] Workqueue: smc_hs_wq smc_listen_wor k[EOL] [ 16.450531] RIP: 0010:smc_listen_work+0xc02/0x159 0[EOL] [ 16.452158] RSP: 0018:ffffb5ab40053d98 EFLAGS: 0001024 6[EOL] [ 16.452526] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 000000000000030 0[EOL] [ 16.452994] RDX: 0000000000000280 RSI: 00003513840053f0 RDI: 000000000000000 0[EOL] [ 16.453492] RBP: ffffa097808e3800 R08: ffffa09782dba1e0 R09: 000000000000000 5[EOL] [ 16.453987] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0978274640 0[EOL] [ 16.454497] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa09782d4092 0[EOL] [ 16.454996] FS: 0000000000000000(0000) GS:ffffa097bbc00000(0000) knlGS:000000000000000 0[EOL] [ 16.455557] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003 3[EOL] [ 16.455961] CR2: 0000000000000030 CR3: 0000000102788004 CR4: 0000000000770ef 0[EOL] [ 16.456459] PKRU: 5555555 4[EOL] [ 16.456654] Call Trace :[EOL] [ 16.456832] <TASK >[EOL] [ 16.456989] ? __die+0x23/0x7 0[EOL] [ 16.457215] ? page_fault_oops+0x180/0x4c 0[EOL] [ 16.457508] ? __lock_acquire+0x3e6/0x249 0[EOL] [ 16.457801] ? exc_page_fault+0x68/0x20 0[EOL] [ 16.458080] ? asm_exc_page_fault+0x26/0x3 0[EOL] [ 16.458389] ? smc_listen_work+0xc02/0x159 0[EOL] [ 16.458689] ? smc_listen_work+0xc02/0x159 0[EOL] [ 16.458987] ? lock_is_held_type+0x8f/0x10 0[EOL] [ 16.459284] process_one_work+0x1ea/0x6d 0[EOL] [ 16.459570] worker_thread+0x1c3/0x38 0[EOL] [ 16.459839] ? __pfx_worker_thread+0x10/0x1 0[EOL] [ 16.460144] kthread+0xe0/0x11 0[EOL] [ 16.460372] ? __pfx_kthread+0x10/0x1 0[EOL] [ 16.460640] ret_from_fork+0x31/0x5 0[EOL] [ 16.460896] ? __pfx_kthread+0x10/0x1 0[EOL] [ 16.461166] ret_from_fork_asm+0x1a/0x3 0[EOL] [ 16.461453] </TASK >[EOL] [ 16.461616] Modules linked in: bpf_testmod(OE) [last unloaded: bpf_testmod(OE) ][EOL] [ 16.462134] CR2: 000000000000003 0[EOL] [ 16.462380] ---[ end trace 0000000000000000 ]---[EOL] [ 16.462710] RIP: 0010:smc_listen_work+0xc02/0x1590[EOL][EOL]The direct cause of this issue is that after smc_listen_out_connected(),[EOL]newclcsock->sk may be NULL since it will releases the smcsk. Therefore,[EOL]if the application closes the socket immediately after accept,[EOL]newclcsock->sk can be NULL. A possible execution order could be as[EOL]follows:[EOL][EOL]smc_listen_work ( userspace[EOL)-----------------------------------------------------------------EOL]lock_sock(sk) ([EOL)smc_listen_out_connected() |EOL] ( \\- smc_listen_out |[EOL)| | \\- release_sock |EOL] ( |- sk->sk_data_ready() |[EOL) | fd = accept();EOL] ( close(fd);[EOL) | \\- socket->sk = NULL;EOL]/* newclcsock->sk is NULL now */[EOL]SMC_STAT_SERV_SUCC_INC(sock_net(newclcsock->sk))[EOL][EOL]Since smc_listen_out_connected() will not fail, simply swapping the order[EOL]of the code can easily fix this issue.
CREATE(Triage):(User=admin) [CVE-2025-38734 (https://nvd.nist.gov/vuln/detail/CVE-2025-38734)
