Guangguan Wang

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved, specifically in the net/smc component. The issue arises when "link down" work is scheduled before lgr is freed but executes after lgr is freed, potentially causing a crash. To address this, a reference must be held before scheduling the link down work and released after the work is executed or canceled. A crash call stack is provided, indicating a list del corruption error. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.74 Description: The issue arises when receiving a proposal message in the server, where the `smcd v2 ext offset` field from the remote client cannot be fully trusted. If the value of `smcd v2 ext offset` exceeds the maximum value, it may lead to accessing the wrong address, potentially causing a crash. This is resolved by checking the value of `smcd v2 ext offset` before using it. Recommendations: For versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting access to the `net/smc` module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue concerns the Linux kernel, specifically the net/smc component. When receiving a proposal message in the server, the fields `v2 ext offset`, `eid cnt`, and `ism gid cnt` in the proposal message are from the remote client and cannot be fully trusted. Especially the field `v2 ext offset`, once it exceeds the maximum value, there is a chance to access the wrong address, and a crash may happen. This patch checks the fields `v2 ext offset`, `eid cnt`, and `ism gid cnt` before using them. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting access to the net/smc component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue concerns the Linux kernel, specifically the net/smc component. When receiving a proposal message in the server, the fields `iparea offset` and `ipv6 prefixes cnt` from the remote client are not fully trusted. If the `iparea offset` exceeds its maximum value, it may lead to accessing the wrong address, potentially causing a crash. The patch addresses this by checking `iparea offset` and `ipv6 prefixes cnt` before using them. **Recommendations** For versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting access to the net/smc component until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A vulnerability in the Linux kernel has been identified where the field length in `smc clc msg hdr` indicates the length of a message to be received from the network. This value should not be fully trusted as it comes from the network. If the length exceeds the `buflen` value in the `smc clc wait msg` function, it may cause a deadloop when trying to drain the remaining data. The patch checks the return value of `sock recvmsg` when draining data to prevent this deadloop. **Recommendations** For Linux kernel versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting network access to minimize the risk of exploitation until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A use-after-free issue was encountered in the Linux kernel, specifically in the net/smc component. This issue manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. The problem is caused by repeated release of LGR/link refcnt, potentially due to smc conn free() being called repeatedly without sock lock protection. **Recommendations** Update to Linux kernel version 6.6.74 or later to resolve the issue. As a temporary workaround, consider adding sock lock protection in the smc listen work() path to prevent repeated release of LGR/link refcnt.