In the Linux kernel, a vulnerability was discovered and subsequently fixed. The issue is related to the illegal access of rmb_desc in the SMC-D connection dump which could lead to a crash when dumping SMC-D connections.

Run an nginx/wrk test using the commands

smc_run nginx
smc_run wrk -t 16 -c 100 -d <duration> -H 'Connection: Close' <URL>

Continuously dump SMC-D connections in parallel using the command

watch -n 1 'smcss -D'

This would lead to a NULL pointer dereference crash in the kernel with a call trace as follows

BUG: kernel NULL pointer dereference, address: 000000000000003
<call_trace_info>

It has been observed that the connection being dumped might still be in the process of being established. It is assumed that the connection has been registered in a link group using the smc_conn_create() function, but the rmb_desc has not been initialized by the smc_buf_create() function, thus causing the illegal access to conn->rmb_desc.

In order to fix the issue, a check should be added before the dump to prevent illegal access. The related initiative to fix this vulnerability can be found on the Linux kernel mailing list.

Timeline

Published on: 03/11/2024 18:15:19 UTC
Last modified on: 06/27/2024 12:15:18 UTC