{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-24T13:11:35.267","vulnerabilities":[{"cve":{"id":"CVE-2025-40357","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-12-16T14:15:47.637","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix general protection fault in __smc_diag_dump\n\nThe syzbot report a crash:\n\n  Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI\n  KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]\n  CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n  RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]\n  RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89\n  Call Trace:\n   <TASK>\n   smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217\n   smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234\n   netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327\n   __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442\n   netlink_dump_start include/linux/netlink.h:341 [inline]\n   smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251\n   __sock_diag_cmd net/core/sock_diag.c:249 [inline]\n   sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285\n   netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n   netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n   netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346\n   netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896\n   sock_sendmsg_nosec net/socket.c:714 [inline]\n   __sock_sendmsg net/socket.c:729 [inline]\n   ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614\n   ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668\n   __sys_sendmsg+0x16d/0x220 net/socket.c:2700\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   </TASK>\n\nThe process like this:\n\n               (CPU1)              |             (CPU2)\n  ---------------------------------|-------------------------------\n  inet_create()                    |\n    // init clcsock to NULL        |\n    sk = sk_alloc()                |\n                                   |\n    // unexpectedly change clcsock |\n    inet_init_csk_locks()          |\n                                   |\n    // add sk to hash table        |\n    smc_inet_init_sock()           |\n      smc_sk_init()                |\n        smc_hash_sk()              |\n                                   | // traverse the hash table\n                                   | smc_diag_dump_proto\n                                   |   __smc_diag_dump()\n                                   |     // visit wrong clcsock\n                                   |     smc_diag_msg_common_fill()\n    // alloc clcsock               |\n    smc_create_clcsk               |\n      sock_create_kern             |\n\nWith CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed\nin inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,\njust remove it.\n\nAfter removing the INET_PROTOSW_ICSK flag, this patch alse revert\ncommit 6fd27ea183c2 (\"net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\")\nto avoid casting smc_sock to inet_connection_sock."}],"metrics":{},"references":[{"url":"https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"},{"url":"https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}]}