nvd-json-data-feeds/CVE-2022/CVE-2022-487xx/CVE-2022-48721.json

{
  "id": "CVE-2022-48721",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2024-06-20T11:15:55.620",
  "lastModified": "2024-06-20T11:15:55.620",
  "vulnStatus": "Received",
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Forward wakeup to smc socket waitqueue after fallback\n\nWhen we replace TCP with SMC and a fallback occurs, there may be\nsome socket waitqueue entries remaining in smc socket->wq, such\nas eppoll_entries inserted by userspace applications.\n\nAfter the fallback, data flows over TCP/IP and only clcsocket->wq\nwill be woken up. Applications can't be notified by the entries\nwhich were inserted in smc socket->wq before fallback. So we need\na mechanism to wake up smc socket->wq at the same time if some\nentries remaining in it.\n\nThe current workaround is to transfer the entries from smc socket->wq\nto clcsock->wq during the fallback. But this may cause a crash\nlike this:\n\n general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI\n CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E     5.16.0+ #107\n RIP: 0010:__wake_up_common+0x65/0x170\n Call Trace:\n  <IRQ>\n  __wake_up_common_lock+0x7a/0xc0\n  sock_def_readable+0x3c/0x70\n  tcp_data_queue+0x4a7/0xc40\n  tcp_rcv_established+0x32f/0x660\n  ? sk_filter_trim_cap+0xcb/0x2e0\n  tcp_v4_do_rcv+0x10b/0x260\n  tcp_v4_rcv+0xd2a/0xde0\n  ip_protocol_deliver_rcu+0x3b/0x1d0\n  ip_local_deliver_finish+0x54/0x60\n  ip_local_deliver+0x6a/0x110\n  ? tcp_v4_early_demux+0xa2/0x140\n  ? tcp_v4_early_demux+0x10d/0x140\n  ip_sublist_rcv_finish+0x49/0x60\n  ip_sublist_rcv+0x19d/0x230\n  ip_list_rcv+0x13e/0x170\n  __netif_receive_skb_list_core+0x1c2/0x240\n  netif_receive_skb_list_internal+0x1e6/0x320\n  napi_complete_done+0x11d/0x190\n  mlx5e_napi_poll+0x163/0x6b0 [mlx5_core]\n  __napi_poll+0x3c/0x1b0\n  net_rx_action+0x27c/0x300\n  __do_softirq+0x114/0x2d2\n  irq_exit_rcu+0xb4/0xe0\n  common_interrupt+0xba/0xe0\n  </IRQ>\n  <TASK>\n\nThe crash is caused by privately transferring waitqueue entries from\nsmc socket->wq to clcsock->wq. The owners of these entries, such as\nepoll, have no idea that the entries have been transferred to a\ndifferent socket wait queue and still use original waitqueue spinlock\n(smc socket->wq.wait.lock) to make the entries operation exclusive,\nbut it doesn't work. The operations to the entries, such as removing\nfrom the waitqueue (now is clcsock->wq after fallback), may cause a\ncrash when clcsock waitqueue is being iterated over at the moment.\n\nThis patch tries to fix this by no longer transferring wait queue\nentries privately, but introducing own implementations of clcsock's\ncallback functions in fallback situation. The callback functions will\nforward the wakeup to smc socket->wq if clcsock->wq is actually woken\nup and smc socket->wq has remaining entries."
    }
  ],
  "metrics": {},
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/0ef6049f664941bc0f75828b3a61877635048b27",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/341adeec9adad0874f29a0a1af35638207352a39",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/504078fbe9dd570d685361b57784a6050bc40aaa",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}
Auto-Update: 2024-06-20T12:00:18.799054+00:00 2024-06-20 12:03:13 +00:00			`{`
			`"id": "CVE-2022-48721",`
			`"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",`
			`"published": "2024-06-20T11:15:55.620",`
			`"lastModified": "2024-06-20T11:15:55.620",`
			`"vulnStatus": "Received",`
			`"descriptions": [`
			`{`
			`"lang": "en",`
			"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Forward wakeup to smc socket waitqueue after fallback\n\nWhen we replace TCP with SMC and a fallback occurs, there may be\nsome socket waitqueue entries remaining in smc socket->wq, such\nas eppoll_entries inserted by userspace applications.\n\nAfter the fallback, data flows over TCP/IP and only clcsocket->wq\nwill be woken up. Applications can't be notified by the entries\nwhich were inserted in smc socket->wq before fallback. So we need\na mechanism to wake up smc socket->wq at the same time if some\nentries remaining in it.\n\nThe current workaround is to transfer the entries from smc socket->wq\nto clcsock->wq during the fallback. But this may cause a crash\nlike this:\n\n general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI\n CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E 5.16.0+ #107\n RIP: 0010:__wake_up_common+0x65/0x170\n Call Trace:\n <IRQ>\n __wake_up_common_lock+0x7a/0xc0\n sock_def_readable+0x3c/0x70\n tcp_data_queue+0x4a7/0xc40\n tcp_rcv_established+0x32f/0x660\n ? sk_filter_trim_cap+0xcb/0x2e0\n tcp_v4_do_rcv+0x10b/0x260\n tcp_v4_rcv+0xd2a/0xde0\n ip_protocol_deliver_rcu+0x3b/0x1d0\n ip_local_deliver_finish+0x54/0x60\n ip_local_deliver+0x6a/0x110\n ? tcp_v4_early_demux+0xa2/0x140\n ? tcp_v4_early_demux+0x10d/0x140\n ip_sublist_rcv_finish+0x49/0x60\n ip_sublist_rcv+0x19d/0x230\n ip_list_rcv+0x13e/0x170\n __netif_receive_skb_list_core+0x1c2/0x240\n netif_receive_skb_list_internal+0x1e6/0x320\n napi_complete_done+0x11d/0x190\n mlx5e_napi_poll+0x163/0x6b0 [mlx5_core]\n __napi_poll+0x3c/0x1b0\n net_rx_action+0x27c/0x300\n __do_softirq+0x114/0x2d2\n irq_exit_rcu+0xb4/0xe0\n common_interrupt+0xba/0xe0\n </IRQ>\n <TASK>\n\nThe crash is caused by privately transferring waitqueue entries from\nsmc socket->wq to clcsock->wq. The owners of these entries, such as\nepoll, have no idea that the entries have been transferred to a\ndifferent socket wait queue and still use original waitqueue spinlock\n(smc socket->wq.wait.lock) to make the entries operation exclusive,\nbut it doesn't work. The operations to the entries, such as removing\nfrom the waitqueue (now is clcsock->wq after fallback), may cause a\ncrash when clcsock waitqueue is being iterated over at the moment.\n\nThis patch tries to fix this by no longer transferring wait queue\nentries privately, but introducing own implementations of clcsock's\ncallback functions in fallback situation. The callback functions will\nforward the wakeup to smc socket->wq if clcsock->wq is actually woken\nup and smc socket->wq has remaining entries."
			`}`
			`],`
			`"metrics": {},`
			`"references": [`
			`{`
			`"url": "https://git.kernel.org/stable/c/0ef6049f664941bc0f75828b3a61877635048b27",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/341adeec9adad0874f29a0a1af35638207352a39",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/504078fbe9dd570d685361b57784a6050bc40aaa",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`}`
			`]`
			`}`