CVE-2025-40139

Vulnerability

In the Linux kernel's SMC (Shared Memory Communications) protocol, the function smc_clc_prfx_set() is called during the connect() system call. This function used sk_dst_get(sk)->dev to access the destination device without holding RCU read lock or RTNL, which can lead to a use-after-free (UAF) condition. The issue was introduced because the function is not executed under RCU or RTNL protection, yet it dereferences a pointer that may be concurrently freed.

Exploitation

An attacker could potentially exploit this UAF by triggering a race condition. The attack requires the ability to influence the socket's destination cache (dst) while a connect() is in progress. Network conditions or specific sequence of operations might be needed to hit the race window. The vulnerability is local in the sense that it requires an unprivileged user to create and manipulate SMC sockets.

Impact

Successful exploitation could lead to memory corruption, which may enable an attacker to crash the system (denial of service) or potentially escalate privileges. The exact impact depends on kernel memory protections and the attacker's ability to control the freed memory.

Mitigation

The fix (commit [1]) replaces the unsafe sk_dst_get()->dev with __sk_dst_get() and dst_dev_rcu() under rcu_read_lock(). This ensures proper RCU protection. The patch also adjusts the function signatures of smc_clc_prfx_set4_rcu() and smc_clc_prfx_set6_rcu() to avoid touching dst there. Users should apply the latest stable kernel updates containing this patch.