CVE-2024-26615

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix illegal rmb_desc access in SMC-D connection dump

A crash was found when dumping SMC-D connections. It can be reproduced by following steps:

• run nginx/wrk test: smcrun nginx smcrun wrk -t 16 -c 1000 -d <duration> -H 'Connection: Close' <URL>

• continuously dump SMC-D connections in parallel: watch -n 1 'smcss -D'

  BUG: kernel NULL pointer dereference, address: 0000000000000030 CPU: 2 PID: 7204 Comm: smcss Kdump: loaded Tainted: G E 6.7.0+ #55 RIP: 0010:__smcdiagdump.constprop.0+0x5e5/0x620 [smc_diag] Call Trace: <TASK> ? __die+0x24/0x70 ? pagefaultoops+0x66/0x150 ? exc_pagefault+0x69/0x140 ? asmexcpagefault+0x26/0x30 ? __smcdiagdump.constprop.0+0x5e5/0x620 [smc_diag] ? __kmallocnodetrack_caller+0x35d/0x430 ? __allocskb+0x77/0x170 smcdiag_dumpproto+0xd0/0xf0 [smcdiag] smcdiagdump+0x26/0x60 [smcdiag] netlinkdump+0x19f/0x320 __netlinkdumpstart+0x1dc/0x300 smcdiaghandlerdump+0x6a/0x80 [smcdiag] ? __pfxsmcdiagdump+0x10/0x10 [smcdiag] sockdiagrcv_msg+0x121/0x140 ? __pfxsockdiagrcvmsg+0x10/0x10 netlinkrcvskb+0x5a/0x110 sockdiagrcv+0x28/0x40 netlinkunicast+0x22a/0x330 netlinksendmsg+0x1f8/0x420 __sock_sendmsg+0xb0/0xc0 ____syssendmsg+0x24e/0x300 ? copymsghdrfromuser+0x62/0x80 ___sys_sendmsg+0x7c/0xd0 ? __dofault+0x34/0x160 ? doreadfault+0x5f/0x100 ? dofault+0xb0/0x110 ? __handlemmfault+0x2b0/0x6c0 _syssendmsg+0x4d/0x80 dosyscall64+0x69/0x180 entrySYSCALL64afterhwframe+0x6e/0x76

It is possible that the connection is in process of being established when we dump it. Assumed that the connection has been registered in a link group by smcconncreate() but the rmbdesc has not yet been initialized by smcbufcreate(), thus causing the illegal access to conn->rmbdesc. So fix it by checking before dump.