CVE-2021-46925

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.16.0-rc4+

Description A crash occurs in the Linux kernel when the smc cdc tx handler() function tries to access smc sock but smc release() has already freed it. This happens due to a race condition between smc cdc tx handler() and smc release(). The smc cdc tx handler() function checks the existence of the smc connection, but smc release() may have already dismissed and released the smc socket before smc cdc tx handler() further visits it. To fix this issue, a refcount is added on the smc connection for inflight CDC messages, and the smc connection is not released until all inflight CDC messages have been done.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for the net/smc vulnerability. Specifically, update to a version later than 5.16.0-rc4+.

Note: The provided information does not specify the exact version that includes the fix, so it is recommended to update to the latest available version of the Linux kernel.

As a temporary workaround, consider disabling the smc cdc tx handler() function until a patch is available. However, this may have unintended consequences and should be done with caution.

It is also recommended to restrict access to the vulnerable module net/smc to minimize the risk of exploitation.

Avoid using the smc sock in the affected API endpoint until the issue is resolved.

For IB device removal routine, wait for all the QPs on that device to be destroyed before destroying CQs on the device.

At the moment, there is no other information about additional mitigation measures or workarounds.