DEBIAN-CVE-2025-40357

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix general protection fault in smcdiagdump The syzbot report a crash: Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:smcdiagmsgcommonfill net/smc/smcdiag.c:44 [inline] RIP: 0010:smcdiagdump.constprop.0+0x3ca/0x2550 net/smc/smcdiag.c:89 Call Trace: <TASK> smcdiagdumpproto+0x26d/0x420 net/smc/smcdiag.c:217 smcdiagdump+0x27/0x90 net/smc/smcdiag.c:234 netlinkdump+0x539/0xd30 net/netlink/afnetlink.c:2327 netlinkdumpstart+0x6d6/0x990 net/netlink/afnetlink.c:2442 netlinkdumpstart include/linux/netlink.h:341 [inline] smcdiaghandlerdump+0x1f9/0x240 net/smc/smcdiag.c:251 _sockdiagcmd net/core/sockdiag.c:249 [inline] sockdiagrcvmsg+0x438/0x790 net/core/sockdiag.c:285 netlinkrcvskb+0x158/0x420 net/netlink/afnetlink.c:2552 netlinkunicastkernel net/netlink/afnetlink.c:1320 [inline] netlinkunicast+0x5a7/0x870 net/netlink/afnetlink.c:1346 netlinksendmsg+0x8d1/0xdd0 net/netlink/afnetlink.c:1896 socksendmsgnosec net/socket.c:714 [inline] _socksendmsg net/socket.c:729 [inline] syssendmsg+0xa95/0xc70 net/socket.c:2614 _syssendmsg+0x134/0x1d0 net/socket.c:2668 _syssendmsg+0x16d/0x220 net/socket.c:2700 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x4e0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f </TASK> The process like this: (CPU1) | (CPU2) ---------------------------------|------------------------------- inetcreate() | // init clcsock to NULL | sk = skalloc() | | // unexpectedly change clcsock | inetinitcsklocks() | | // add sk to hash table | smcinetinitsock() | smcskinit() | smchashsk() | | // traverse the hash table | smcdiagdumpproto | _smcdiagdump() | // visit wrong clcsock | smcdiagmsgcommonfill() // alloc clcsock | smccreateclcsk | sockcreatekern | With CONFIGDEBUGLOCKALLOC=y, the smc->clcsock is unexpectedly changed in inetinitcsklocks(). The INETPROTOSWICSK flag is no need by smc, just remove it. After removing the INETPROTOSWICSK flag, this patch alse revert commit 6fd27ea183c2 ("net/smc: fix lacks of icsksynmss with IPPROTOSMC") to avoid casting smcsock to inetconnectionsock.