Wen Gu

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue concerns the Linux kernel, specifically the net/smc component. When receiving a proposal message in the server, the fields `iparea offset` and `ipv6 prefixes cnt` from the remote client are not fully trusted. If the `iparea offset` exceeds its maximum value, it may lead to accessing the wrong address, potentially causing a crash. The patch addresses this by checking `iparea offset` and `ipv6 prefixes cnt` before using them. **Recommendations** For versions prior to 6.6.74, update to version 6.6.74 or later to resolve the issue. As a temporary workaround, consider restricting access to the net/smc component until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A use-after-free issue was encountered in the Linux kernel, specifically in the net/smc component. This issue manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. The problem is caused by repeated release of LGR/link refcnt, potentially due to smc conn free() being called repeatedly without sock lock protection. **Recommendations** Update to Linux kernel version 6.6.74 or later to resolve the issue. As a temporary workaround, consider adding sock lock protection in the smc listen work() path to prevent repeated release of LGR/link refcnt.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a refcount leak in the `smc ib find route()` function, which may cause the disclosure of confidential information. The leak occurs because the neighbour found by `neigh lookup()` and the rtable resolved by `ip route output flow()` are not released or put before return. This may lead to a refcount leak. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 6.7.0 and earlier **Description** A crash was found when dumping SMC-D connections in the Linux kernel. The issue can be reproduced by running a specific test and continuously dumping SMC-D connections in parallel. The crash is caused by a kernel NULL pointer dereference, which occurs when the connection is in the process of being established and the `rmb desc` has not yet been initialized. The vulnerability can be exploited to cause a denial of service. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the `net/smc: fix illegal rmb desc access in SMC-D connection dump` vulnerability. As a temporary workaround, consider disabling the `smc diag dump()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.16.0-rc4+ **Description** The issue is related to a kernel NULL pointer dereference in the `smc setsockopt()` function, caused by accessing `smc->clcsock` after it has been released. This can lead to a crash. The problem is addressed by holding `clcsock release lock` and checking whether `clcsock` has already been released before access. The patch also checks `smc->clcsock` in `smc getsockopt()` and `smc switch to fallback()` to prevent similar crashes. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the `net/smc: Transitional solution for clcsock race issue`. As a temporary workaround, consider disabling the `smc setsockopt()` function until a patch is available. Restrict access to the vulnerable module `net/smc` to minimize the risk of exploitation. Avoid using the `smc setsockopt()` function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.16.0-rc4+ **Description** A crash occurs in the Linux kernel when the `smc cdc tx handler()` function tries to access `smc sock` but `smc release()` has already freed it. This happens due to a race condition between `smc cdc tx handler()` and `smc release()`. The `smc cdc tx handler()` function checks the existence of the smc connection, but `smc release()` may have already dismissed and released the smc socket before `smc cdc tx handler()` further visits it. To fix this issue, a refcount is added on the `smc connection` for inflight CDC messages, and the `smc connection` is not released until all inflight CDC messages have been done. **Recommendations** To resolve this issue, update the Linux kernel to a version that includes the fix for the `net/smc` vulnerability. Specifically, update to a version later than 5.16.0-rc4+. Note: The provided information does not specify the exact version that includes the fix, so it is recommended to update to the latest available version of the Linux kernel. As a temporary workaround, consider disabling the `smc cdc tx handler()` function until a patch is available. However, this may have unintended consequences and should be done with caution. It is also recommended to restrict access to the vulnerable module `net/smc` to minimize the risk of exploitation. Avoid using the `smc sock` in the affected API endpoint until the issue is resolved. For IB device removal routine, wait for all the QPs on that device to be destroyed before destroying CQs on the device. At the moment, there is no other information about additional mitigation measures or workarounds.