CVE-2025-40357 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2
https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3
https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/smc: fix general protection fault in __smc_diag_dump The syzbot report a crash: Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89 Call Trace: <TASK> smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217 smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234 netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327 __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442 netlink_dump_start include/linux/netlink.h:341 [inline] smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251 __sock_diag_cmd net/core/sock_diag.c:249 [inline] sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668 __sys_sendmsg+0x16d/0x220 net/socket.c:2700 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The process like this: (CPU1) \| (CPU2) ---------------------------------\|------------------------------- inet_create() \| // init clcsock to NULL \| sk = sk_alloc() \| \| // unexpectedly change clcsock \| inet_init_csk_locks() \| \| // add sk to hash table \| smc_inet_init_sock() \| smc_sk_init() \| smc_hash_sk() \| \| // traverse the hash table \| smc_diag_dump_proto \| __smc_diag_dump() \| // visit wrong clcsock \| smc_diag_msg_common_fill() // alloc clcsock \| smc_create_clcsk \| sock_create_kern \| With CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed in inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc, just remove it. After removing the INET_PROTOSW_ICSK flag, this patch alse revert commit 6fd27ea183c2 ("net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC") to avoid casting smc_sock to inet_connection_sock.
Title		net/smc: fix general protection fault in __smc_diag_dump
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2 https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3 https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40357", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.187Z", "datePublished": "2025-12-16T13:30:29.758Z", "dateUpdated": "2025-12-16T13:30:29.758Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-16T13:30:29.758Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix general protection fault in __smc_diag_dump\n\nThe syzbot report a crash:\n\n Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI\n KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]\n CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]\n RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89\n Call Trace:\n <TASK>\n smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217\n smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234\n netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327\n __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442\n netlink_dump_start include/linux/netlink.h:341 [inline]\n smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251\n __sock_diag_cmd net/core/sock_diag.c:249 [inline]\n sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg net/socket.c:729 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668\n __sys_sendmsg+0x16d/0x220 net/socket.c:2700\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThe process like this:\n\n (CPU1) | (CPU2)\n ---------------------------------|-------------------------------\n inet_create() |\n // init clcsock to NULL |\n sk = sk_alloc() |\n |\n // unexpectedly change clcsock |\n inet_init_csk_locks() |\n |\n // add sk to hash table |\n smc_inet_init_sock() |\n smc_sk_init() |\n smc_hash_sk() |\n | // traverse the hash table\n | smc_diag_dump_proto\n | __smc_diag_dump()\n | // visit wrong clcsock\n | smc_diag_msg_common_fill()\n // alloc clcsock |\n smc_create_clcsk |\n sock_create_kern |\n\nWith CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed\nin inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,\njust remove it.\n\nAfter removing the INET_PROTOSW_ICSK flag, this patch alse revert\ncommit 6fd27ea183c2 (\"net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\")\nto avoid casting smc_sock to inet_connection_sock."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/smc/smc_inet.c"], "versions": [{"version": "d25a92ccae6bed02327b63d138e12e7806830f78", "lessThan": "5b6fc95c4a161326567bdf12a333768565b638f2", "status": "affected", "versionType": "git"}, {"version": "d25a92ccae6bed02327b63d138e12e7806830f78", "lessThan": "99b5b3faf3220ba1cdab8e6e42be4f3f993937c3", "status": "affected", "versionType": "git"}, {"version": "d25a92ccae6bed02327b63d138e12e7806830f78", "lessThan": "f584239a9ed25057496bf397c370cc5163dde419", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/smc/smc_inet.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.56", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.6", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.56"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.17.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2"}, {"url": "https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3"}, {"url": "https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419"}], "title": "net/smc: fix general protection fault in __smc_diag_dump", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix general protection fault in __smc_diag_dump\n\nThe syzbot report a crash:\n\n Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI\n KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]\n CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]\n RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89\n Call Trace:\n <TASK>\n smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217\n smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234\n netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327\n __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442\n netlink_dump_start include/linux/netlink.h:341 [inline]\n smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251\n __sock_diag_cmd net/core/sock_diag.c:249 [inline]\n sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285\n netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg net/socket.c:729 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668\n __sys_sendmsg+0x16d/0x220 net/socket.c:2700\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nThe process like this:\n\n (CPU1) | (CPU2)\n ---------------------------------|-------------------------------\n inet_create() |\n // init clcsock to NULL |\n sk = sk_alloc() |\n |\n // unexpectedly change clcsock |\n inet_init_csk_locks() |\n |\n // add sk to hash table |\n smc_inet_init_sock() |\n smc_sk_init() |\n smc_hash_sk() |\n | // traverse the hash table\n | smc_diag_dump_proto\n | __smc_diag_dump()\n | // visit wrong clcsock\n | smc_diag_msg_common_fill()\n // alloc clcsock |\n smc_create_clcsk |\n sock_create_kern |\n\nWith CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed\nin inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,\njust remove it.\n\nAfter removing the INET_PROTOSW_ICSK flag, this patch alse revert\ncommit 6fd27ea183c2 (\"net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\")\nto avoid casting smc_sock to inet_connection_sock."}], "id": "CVE-2025-40357", "lastModified": "2025-12-16T14:15:47.637", "metrics": {}, "published": "2025-12-16T14:15:47.637", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object