In the Linux kernel, a vulnerability was discovered and subsequently fixed. The issue is related to the illegal access of rmb_desc in the SMC-D connection dump which could lead to a crash when dumping SMC-D connections.
Run an nginx/wrk test using the commands
smc_run nginx
smc_run wrk -t 16 -c 100 -d <duration> -H 'Connection: Close' <URL>
Continuously dump SMC-D connections in parallel using the command
watch -n 1 'smcss -D'
This would lead to a NULL pointer dereference crash in the kernel with a call trace as follows
BUG: kernel NULL pointer dereference, address: 000000000000003
<call_trace_info>
It has been observed that the connection being dumped might still be in the process of being established. It is assumed that the connection has been registered in a link group using the smc_conn_create() function, but the rmb_desc has not been initialized by the smc_buf_create() function, thus causing the illegal access to conn->rmb_desc.
In order to fix the issue, a check should be added before the dump to prevent illegal access. The related initiative to fix this vulnerability can be found on the Linux kernel mailing list.
Timeline
Published on: 03/11/2024 18:15:19 UTC
Last modified on: 03/12/2024 12:40:13 UTC