CVE-2025-38475

In the Linux kernel, the following vulnerability has been resolved:

smc: Fix various oops due to inet_sock type confusion.

syzbot reported weird splats [0][1] in cipsov4socksetattr() while freeing inetsk(sk)->inet_opt.

The address was freed multiple times even though it was read-only memory.

cipsov4sock_setattr() did nothing wrong, and the root cause was type confusion.

The cited commit made it possible to create smc_sock as an INET socket.

The issue is that struct smcsock does not have struct inetsock as the first member but hijacks AFINET and AFINET6 sk_family, which confuses various places.

In this case, inetsock.inetopt was actually smcsock.clcskdata_ready(), which is an address of a function in the text segment.

$ pahole -C inetsock vmlinux struct inetsock { ... struct ipoptionsrcu * inet_opt; /* 784 8 */

$ pahole -C smcsock vmlinux struct smcsock { ... void (clcsk_data_ready)(struct sock *); / 784 8 */

The same issue for another field was reported before. [2][3]

At that time, an ugly hack was suggested [4], but it makes both INET and SMC code error-prone and hard to change.

Also, yet another variant was fixed by a hacky commit 98d4435efcbf3 ("net/smc: prevent NULL pointer dereference in txopt_get").

Instead of papering over the root cause by such hacks, we should not allow non-INET socket to reuse the INET infra.

Let's add inetsock as the first member of smcsock.

WARNING: CPU: 0 PID: 6718 at mm/slabcommon.c:1956 kvfreecallrcu+0x94/0x3f0 mm/slabcommon.c:1955 Modules linked in: CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kvfreecallrcu+0x94/0x3f0 mm/slabcommon.c:1955 lr : kvfreecallrcu+0x94/0x3f0 mm/slabcommon.c:1955 sp : ffff8000a03a7730 x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3 x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00 x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0 x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffff x17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14c x14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff x11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000 x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360 x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000 Call trace: kvfreecallrcu+0x94/0x3f0 mm/slabcommon.c:1955 (P) cipsov4socksetattr+0x2f0/0x3f4 net/ipv4/cipsoipv4.c:1914 netlblsocksetattr+0x240/0x334 net/netlabel/netlabelkapi.c:1000 smacknetlbladd+0xa8/0x158 security/smack/smacklsm.c:2581 smackinodesetsecurity+0x378/0x430 security/smack/smacklsm.c:2912 securityinodesetsecurity+0x118/0x3c0 security/security.c:2706 _vfssetxattrnoperm+0x174/0x5c4 fs/xattr.c:251 _vfssetxattrlocked+0x1ec/0x218 fs/xattr.c:295 vfssetxattr+0x158/0x2ac fs/xattr.c:321 dosetxattr fs/xattr.c:636 [inline] filesetxattr+0x1b8/0x294 fs/xattr.c:646 pathsetxattrat+0x2ac/0x320 fs/xattr.c:711 _dosysfsetxattr fs/xattr.c:761 [inline] _sesysfsetxattr fs/xattr.c:758 [inline] _arm64sysfsetxattr+0xc0/0xdc fs/xattr.c:758 _invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0svccommon+0x130/0x23c arch/arm64/kernel/syscall.c:132 doel0svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t64synchandler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t64sync+0x198/0x19c arch/arm64/kernel/entry.S:600

[ ---truncated---