CVE-2025-40357

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-40357
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40357.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40357
Downstream
Related
Published
2025-12-16T13:30:29.758Z
Modified
2026-03-12T02:14:41.556523Z
Summary
net/smc: fix general protection fault in __smc_diag_dump
Details

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix general protection fault in __smcdiagdump

The syzbot report a crash:

Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:smcdiagmsgcommonfill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smcdiagdump.constprop.0+0x3ca/0x2550 net/smc/smcdiag.c:89 Call Trace: <TASK> smcdiagdumpproto+0x26d/0x420 net/smc/smcdiag.c:217 smcdiagdump+0x27/0x90 net/smc/smcdiag.c:234 netlinkdump+0x539/0xd30 net/netlink/afnetlink.c:2327 __netlinkdumpstart+0x6d6/0x990 net/netlink/af_netlink.c:2442 netlinkdumpstart include/linux/netlink.h:341 [inline] smcdiaghandlerdump+0x1f9/0x240 net/smc/smcdiag.c:251 __sockdiagcmd net/core/sock_diag.c:249 [inline] sockdiagrcvmsg+0x438/0x790 net/core/sockdiag.c:285 netlinkrcvskb+0x158/0x420 net/netlink/afnetlink.c:2552 netlinkunicastkernel net/netlink/afnetlink.c:1320 [inline] netlinkunicast+0x5a7/0x870 net/netlink/afnetlink.c:1346 netlinksendmsg+0x8d1/0xdd0 net/netlink/afnetlink.c:1896 socksendmsgnosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668 _syssendmsg+0x16d/0x220 net/socket.c:2700 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x4e0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f </TASK>

The process like this:

           (CPU1)              |             (CPU2)

---------------------------------|------------------------------- inetcreate() | // init clcsock to NULL | sk = skalloc() | | // unexpectedly change clcsock | inetinitcsklocks() | | // add sk to hash table | smcinetinitsock() | smcskinit() | smchashsk() | | // traverse the hash table | smcdiagdump_proto | __smcdiagdump() | // visit wrong clcsock | smcdiagmsgcommonfill() // alloc clcsock | smccreateclcsk | sockcreatekern |

With CONFIGDEBUGLOCKALLOC=y, the smc->clcsock is unexpectedly changed in inetinitcsklocks(). The INETPROTOSWICSK flag is no need by smc, just remove it.

After removing the INETPROTOSWICSK flag, this patch alse revert commit 6fd27ea183c2 ("net/smc: fix lacks of icsksynmss with IPPROTOSMC") to avoid casting smcsock to inetconnectionsock.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40357.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d25a92ccae6bed02327b63d138e12e7806830f78
Fixed
5b6fc95c4a161326567bdf12a333768565b638f2
Fixed
99b5b3faf3220ba1cdab8e6e42be4f3f993937c3
Fixed
f584239a9ed25057496bf397c370cc5163dde419

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40357.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.12.56
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.17.6

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40357.json"