Description
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe buffer smc_rx_splice() allocates one smc_spd_priv per pipe_buffer and stores the pointer in pipe_buffer.private. The pipe_buf_operations for these buffers used .get = generic_pipe_buf_get, which only increments the page reference count when tee(2) duplicates a pipe buffer. The smc_spd_priv pointer itself was not handled, so after tee() both the original and the cloned pipe_buffer share the same smc_spd_priv *. When both pipes are subsequently released, smc_rx_pipe_buf_release() is called twice against the same object: 1st call: kfree(priv) sock_put(sk) smc_rx_update_cons() [correct] 2nd call: kfree(priv) sock_put(sk) smc_rx_update_cons() [UAF] KASAN reports a slab-use-after-free in smc_rx_pipe_buf_release(), which then escalates to a NULL-pointer dereference and kernel panic via smc_rx_update_consumer() when it chases the freed priv->smc pointer: BUG: KASAN: slab-use-after-free in smc_rx_pipe_buf_release+0x78/0x2a0 Read of size 8 at addr ffff888004a45740 by task smc_splice_tee_/74 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xce/0x650 kasan_report+0xc6/0x100 smc_rx_pipe_buf_release+0x78/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> BUG: kernel NULL pointer dereference, address: 0000000000000020 RIP: 0010:smc_rx_update_consumer+0x8d/0x350 Call Trace: <TASK> smc_rx_pipe_buf_release+0x121/0x2a0 free_pipe_info+0xd4/0x130 pipe_release+0x142/0x160 __fput+0x1c6/0x490 __x64_sys_close+0x4f/0x90 do_syscall_64+0xa6/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Kernel panic - not syncing: Fatal exception Beyond the memory-safety problem, duplicating an SMC splice buffer is semantically questionable: smc_rx_update_cons() would advance the consumer cursor twice for the same data, corrupting receive-window accounting. A refcount on smc_spd_priv could fix the double-free, but the cursor-accounting issue would still need to be addressed separately. The .get callback is invoked by both tee(2) and splice_pipe_to_pipe() for partial transfers; both will now return -EFAULT. Users who need to duplicate SMC socket data must use a copy-based read path.
Product status
9014db202cb764b8e14c53e7bacc81f9a1a2ba7f (git) before 7e8916f46c2f48607f907fd401590093753a6bc5
9014db202cb764b8e14c53e7bacc81f9a1a2ba7f (git) before ae5575e660410c8d2c5d38fb28a0f37aea945676
9014db202cb764b8e14c53e7bacc81f9a1a2ba7f (git) before 98ba5cb274768146e25ffbfde47753652c1c20d3
9014db202cb764b8e14c53e7bacc81f9a1a2ba7f (git) before 81acbd345d405994875d419d43b319fee0b9ad62
9014db202cb764b8e14c53e7bacc81f9a1a2ba7f (git) before 7bcb974c771c863e8588cea0012ac204443a7126
9014db202cb764b8e14c53e7bacc81f9a1a2ba7f (git) before 54c87a730157868543ebdfa0ecb21b4590ed23a5
9014db202cb764b8e14c53e7bacc81f9a1a2ba7f (git) before 3cc76380fea749280c026f410af56a28aaac388a
9014db202cb764b8e14c53e7bacc81f9a1a2ba7f (git) before 24dd586bb4cbba1889a50abe74143817a095c1c9
4.18
Any version before 4.18
5.10.253 (semver)
5.15.203 (semver)
6.1.168 (semver)
6.6.131 (semver)
6.12.80 (semver)
6.18.21 (semver)
6.19.11 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/7e8916f46c2f48607f907fd401590093753a6bc5
git.kernel.org/...c/ae5575e660410c8d2c5d38fb28a0f37aea945676
git.kernel.org/...c/98ba5cb274768146e25ffbfde47753652c1c20d3
git.kernel.org/...c/81acbd345d405994875d419d43b319fee0b9ad62
git.kernel.org/...c/7bcb974c771c863e8588cea0012ac204443a7126
git.kernel.org/...c/54c87a730157868543ebdfa0ecb21b4590ed23a5
git.kernel.org/...c/3cc76380fea749280c026f410af56a28aaac388a
git.kernel.org/...c/24dd586bb4cbba1889a50abe74143817a095c1c9