{"id":"CVE-2025-40357","summary":"net/smc: fix general protection fault in __smc_diag_dump","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix general protection fault in __smc_diag_dump\n\nThe syzbot report a crash:\n\n  Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI\n  KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]\n  CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n  RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]\n  RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89\n  Call Trace:\n   \u003cTASK\u003e\n   smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217\n   smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234\n   netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327\n   __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442\n   netlink_dump_start include/linux/netlink.h:341 [inline]\n   smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251\n   __sock_diag_cmd net/core/sock_diag.c:249 [inline]\n   sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285\n   netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n   netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n   netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346\n   netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896\n   sock_sendmsg_nosec net/socket.c:714 [inline]\n   __sock_sendmsg net/socket.c:729 [inline]\n   ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614\n   ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668\n   __sys_sendmsg+0x16d/0x220 net/socket.c:2700\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   \u003c/TASK\u003e\n\nThe process like this:\n\n               (CPU1)              |             (CPU2)\n  ---------------------------------|-------------------------------\n  inet_create()                    |\n    // init clcsock to NULL        |\n    sk = sk_alloc()                |\n                                   |\n    // unexpectedly change clcsock |\n    inet_init_csk_locks()          |\n                                   |\n    // add sk to hash table        |\n    smc_inet_init_sock()           |\n      smc_sk_init()                |\n        smc_hash_sk()              |\n                                   | // traverse the hash table\n                                   | smc_diag_dump_proto\n                                   |   __smc_diag_dump()\n                                   |     // visit wrong clcsock\n                                   |     smc_diag_msg_common_fill()\n    // alloc clcsock               |\n    smc_create_clcsk               |\n      sock_create_kern             |\n\nWith CONFIG_DEBUG_LOCK_ALLOC=y, the smc-\u003eclcsock is unexpectedly changed\nin inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,\njust remove it.\n\nAfter removing the INET_PROTOSW_ICSK flag, this patch alse revert\ncommit 6fd27ea183c2 (\"net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\")\nto avoid casting smc_sock to inet_connection_sock.","modified":"2026-03-20T12:43:16.679261Z","published":"2025-12-16T13:30:29.758Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","openSUSE-SU-2026:20145-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40357.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40357.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40357"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d25a92ccae6bed02327b63d138e12e7806830f78"},{"fixed":"5b6fc95c4a161326567bdf12a333768565b638f2"},{"fixed":"99b5b3faf3220ba1cdab8e6e42be4f3f993937c3"},{"fixed":"f584239a9ed25057496bf397c370cc5163dde419"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40357.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.11.0"},{"fixed":"6.12.56"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40357.json"}}],"schema_version":"1.7.5"}