{"id":"CVE-2022-48721","summary":"net/smc: Forward wakeup to smc socket waitqueue after fallback","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Forward wakeup to smc socket waitqueue after fallback\n\nWhen we replace TCP with SMC and a fallback occurs, there may be\nsome socket waitqueue entries remaining in smc socket-\u003ewq, such\nas eppoll_entries inserted by userspace applications.\n\nAfter the fallback, data flows over TCP/IP and only clcsocket-\u003ewq\nwill be woken up. Applications can't be notified by the entries\nwhich were inserted in smc socket-\u003ewq before fallback. So we need\na mechanism to wake up smc socket-\u003ewq at the same time if some\nentries remaining in it.\n\nThe current workaround is to transfer the entries from smc socket-\u003ewq\nto clcsock-\u003ewq during the fallback. But this may cause a crash\nlike this:\n\n general protection fault, probably for non-canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP PTI\n CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G E     5.16.0+ #107\n RIP: 0010:__wake_up_common+0x65/0x170\n Call Trace:\n  \u003cIRQ\u003e\n  __wake_up_common_lock+0x7a/0xc0\n  sock_def_readable+0x3c/0x70\n  tcp_data_queue+0x4a7/0xc40\n  tcp_rcv_established+0x32f/0x660\n  ? sk_filter_trim_cap+0xcb/0x2e0\n  tcp_v4_do_rcv+0x10b/0x260\n  tcp_v4_rcv+0xd2a/0xde0\n  ip_protocol_deliver_rcu+0x3b/0x1d0\n  ip_local_deliver_finish+0x54/0x60\n  ip_local_deliver+0x6a/0x110\n  ? tcp_v4_early_demux+0xa2/0x140\n  ? tcp_v4_early_demux+0x10d/0x140\n  ip_sublist_rcv_finish+0x49/0x60\n  ip_sublist_rcv+0x19d/0x230\n  ip_list_rcv+0x13e/0x170\n  __netif_receive_skb_list_core+0x1c2/0x240\n  netif_receive_skb_list_internal+0x1e6/0x320\n  napi_complete_done+0x11d/0x190\n  mlx5e_napi_poll+0x163/0x6b0 [mlx5_core]\n  __napi_poll+0x3c/0x1b0\n  net_rx_action+0x27c/0x300\n  __do_softirq+0x114/0x2d2\n  irq_exit_rcu+0xb4/0xe0\n  common_interrupt+0xba/0xe0\n  \u003c/IRQ\u003e\n  \u003cTASK\u003e\n\nThe crash is caused by privately transferring waitqueue entries from\nsmc socket-\u003ewq to clcsock-\u003ewq. The owners of these entries, such as\nepoll, have no idea that the entries have been transferred to a\ndifferent socket wait queue and still use original waitqueue spinlock\n(smc socket-\u003ewq.wait.lock) to make the entries operation exclusive,\nbut it doesn't work. The operations to the entries, such as removing\nfrom the waitqueue (now is clcsock-\u003ewq after fallback), may cause a\ncrash when clcsock waitqueue is being iterated over at the moment.\n\nThis patch tries to fix this by no longer transferring wait queue\nentries privately, but introducing own implementations of clcsock's\ncallback functions in fallback situation. The callback functions will\nforward the wakeup to smc socket-\u003ewq if clcsock-\u003ewq is actually woken\nup and smc socket-\u003ewq has remaining entries.","modified":"2026-04-02T08:26:54.839657Z","published":"2024-06-20T11:13:12.668Z","related":["SUSE-SU-2024:2372-1","SUSE-SU-2024:2394-1","SUSE-SU-2024:2902-1","SUSE-SU-2024:2929-1","SUSE-SU-2024:2939-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48721.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ef6049f664941bc0f75828b3a61877635048b27"},{"type":"WEB","url":"https://git.kernel.org/stable/c/341adeec9adad0874f29a0a1af35638207352a39"},{"type":"WEB","url":"https://git.kernel.org/stable/c/504078fbe9dd570d685361b57784a6050bc40aaa"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48721.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48721"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fb92e025baa73e99250b79ab64f4e088d2888993"},{"fixed":"0ef6049f664941bc0f75828b3a61877635048b27"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2153bd1e3d3dbf6a3403572084ef6ed31c53c5f0"},{"fixed":"504078fbe9dd570d685361b57784a6050bc40aaa"},{"fixed":"341adeec9adad0874f29a0a1af35638207352a39"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"d6e981ec9491be5ec46d838b1151e7edefe607f5"},{"last_affected":"ff6eeb627898c179aac421af5d6515d3f50b84df"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48721.json"}}],"schema_version":"1.7.5"}