CVE-2021-46925: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of smc_sock A crash occurs when smc_cdc_tx_handler() tries to access smc_sock but smc_release() has already freed it. [ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88 [ 4570.696048] #PF: supervisor write access in kernel mode [ 4570.696728] #PF: error_code(0x0002) - not-present page [ 4570.697401] PGD 0 P4D 0 [ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI [ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111 [ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0 [ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30 <...> [ 4570.711446] Call Trace: [ 4570.711746] <IRQ> [ 4570.711992] smc_cdc_tx_handler+0x41/0xc0 [ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560 [ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10 [ 4570.713489] tasklet_action_common.isra.17+0x66/0x140 [ 4570.714083] __do_softirq+0x123/0x2f4 [ 4570.714521] irq_exit_rcu+0xc4/0xf0 [ 4570.714934] common_interrupt+0xba/0xe0 Though smc_cdc_tx_handler() checked the existence of smc connection, smc_release() may have already dismissed and released the smc socket before smc_cdc_tx_handler() further visits it. smc_cdc_tx_handler() |smc_release() if (!conn) | | |smc_cdc_tx_dismiss_slots() | smc_cdc_tx_dismisser() | |sock_put(&smc->sk) <- last sock_put, | smc_sock freed bh_lock_sock(&smc->sk) (panic) | To make sure we won't receive any CDC messages after we free the smc_sock, add a refcount on the smc_connection for inflight CDC message(posted to the QP but haven't received related CQE), and don't release the smc_connection until all the inflight CDC messages haven been done, for both success or failed ones. Using refcount on CDC messages brings another problem: when the link is going to be destroyed, smcr_link_clear() will reset the QP, which then remove all the pending CQEs related to the QP in the CQ. To make sure all the CQEs will always come back so the refcount on the smc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced by smc_ib_modify_qp_error(). And remove the timeout in smc_wr_tx_wait_no_pending_sends() since we need to wait for all pending WQEs done, or we may encounter use-after- free when handling CQEs. For IB device removal routine, we need to wait for all the QPs on that device been destroyed before we can destroy CQs on the device, or the refcount on smc_connection won't reach 0 and smc_sock cannot be released.
AI Analysis
Technical Summary
CVE-2021-46925 is a medium-severity vulnerability in the Linux kernel's SMC (Shared Memory Communications) subsystem, specifically within the smc_sock socket handling code. The flaw arises from a race condition between the smc_cdc_tx_handler() function and smc_release(). The smc_cdc_tx_handler() attempts to access the smc_sock structure to handle CDC (Connection Data Channel) messages, but smc_release() may have already freed this socket. This leads to a kernel panic due to a use-after-free condition, causing a page fault and system crash. The root cause is that smc_cdc_tx_handler() checks for the existence of the smc connection but does not account for the socket being freed concurrently by smc_release(). The fix involves adding a reference count on the smc_connection to track inflight CDC messages that have been posted but not yet completed. This ensures the smc_connection is not released until all inflight messages are processed, preventing premature freeing of the socket. Additionally, the patch replaces the QP reset operation with an error state modification to guarantee all completion queue entries (CQEs) are processed, avoiding use-after-free scenarios. The fix also removes timeouts waiting for pending sends to complete, ensuring all work queue entries (WQEs) are finalized before releasing resources. For IB (InfiniBand) device removal, the patch enforces waiting for all queue pairs (QPs) to be destroyed before destroying completion queues (CQs), ensuring proper cleanup and reference count decrements. This vulnerability is identified as CWE-362 (Race Condition), and it affects Linux kernel versions including the commit 5f08318f617b05b6ee389d8bd174c7af921ebf19. The CVSS v3.1 score is 4.7 (medium), with attack vector local, high attack complexity, low privileges required, no user interaction, and impact limited to availability (system crash). No known exploits are reported in the wild as of the publication date (February 27, 2024).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with SMC enabled, particularly in environments using InfiniBand or similar high-performance networking technologies. The vulnerability can cause kernel panics leading to denial of service (DoS), which may disrupt critical infrastructure, data centers, and cloud services relying on Linux servers. Organizations using Linux-based servers for high-availability applications, financial services, telecommunications, or research computing could experience service interruptions. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact can have cascading effects on business operations and service delivery. The requirement for local access and high attack complexity limits remote exploitation, but insider threats or compromised local accounts could trigger the issue. Given the reliance on Linux in European IT infrastructure, especially in sectors like finance, manufacturing, and government, the vulnerability warrants attention to maintain operational continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-46925 as soon as they become available from trusted sources or Linux distributions. 2. For organizations using InfiniBand or SMC features, consider temporarily disabling SMC if patching is not immediately feasible, to prevent exploitation of the race condition. 3. Implement strict access controls and monitoring on systems with local user accounts to reduce the risk of local exploitation. 4. Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility with existing workloads, especially those involving high-performance networking. 5. Monitor system logs for kernel panics or unusual behavior related to smc_sock or networking subsystems to detect potential exploitation attempts or instability. 6. Maintain up-to-date inventory of Linux kernel versions deployed across the organization to prioritize patching efforts. 7. Collaborate with Linux distribution vendors to receive timely updates and advisories related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Italy, Spain
CVE-2021-46925: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of smc_sock A crash occurs when smc_cdc_tx_handler() tries to access smc_sock but smc_release() has already freed it. [ 4570.695099] BUG: unable to handle page fault for address: 000000002eae9e88 [ 4570.696048] #PF: supervisor write access in kernel mode [ 4570.696728] #PF: error_code(0x0002) - not-present page [ 4570.697401] PGD 0 P4D 0 [ 4570.697716] Oops: 0002 [#1] PREEMPT SMP NOPTI [ 4570.698228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-rc4+ #111 [ 4570.699013] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/0 [ 4570.699933] RIP: 0010:_raw_spin_lock+0x1a/0x30 <...> [ 4570.711446] Call Trace: [ 4570.711746] <IRQ> [ 4570.711992] smc_cdc_tx_handler+0x41/0xc0 [ 4570.712470] smc_wr_tx_tasklet_fn+0x213/0x560 [ 4570.712981] ? smc_cdc_tx_dismisser+0x10/0x10 [ 4570.713489] tasklet_action_common.isra.17+0x66/0x140 [ 4570.714083] __do_softirq+0x123/0x2f4 [ 4570.714521] irq_exit_rcu+0xc4/0xf0 [ 4570.714934] common_interrupt+0xba/0xe0 Though smc_cdc_tx_handler() checked the existence of smc connection, smc_release() may have already dismissed and released the smc socket before smc_cdc_tx_handler() further visits it. smc_cdc_tx_handler() |smc_release() if (!conn) | | |smc_cdc_tx_dismiss_slots() | smc_cdc_tx_dismisser() | |sock_put(&smc->sk) <- last sock_put, | smc_sock freed bh_lock_sock(&smc->sk) (panic) | To make sure we won't receive any CDC messages after we free the smc_sock, add a refcount on the smc_connection for inflight CDC message(posted to the QP but haven't received related CQE), and don't release the smc_connection until all the inflight CDC messages haven been done, for both success or failed ones. Using refcount on CDC messages brings another problem: when the link is going to be destroyed, smcr_link_clear() will reset the QP, which then remove all the pending CQEs related to the QP in the CQ. To make sure all the CQEs will always come back so the refcount on the smc_connection can always reach 0, smc_ib_modify_qp_reset() was replaced by smc_ib_modify_qp_error(). And remove the timeout in smc_wr_tx_wait_no_pending_sends() since we need to wait for all pending WQEs done, or we may encounter use-after- free when handling CQEs. For IB device removal routine, we need to wait for all the QPs on that device been destroyed before we can destroy CQs on the device, or the refcount on smc_connection won't reach 0 and smc_sock cannot be released.
AI-Powered Analysis
Technical Analysis
CVE-2021-46925 is a medium-severity vulnerability in the Linux kernel's SMC (Shared Memory Communications) subsystem, specifically within the smc_sock socket handling code. The flaw arises from a race condition between the smc_cdc_tx_handler() function and smc_release(). The smc_cdc_tx_handler() attempts to access the smc_sock structure to handle CDC (Connection Data Channel) messages, but smc_release() may have already freed this socket. This leads to a kernel panic due to a use-after-free condition, causing a page fault and system crash. The root cause is that smc_cdc_tx_handler() checks for the existence of the smc connection but does not account for the socket being freed concurrently by smc_release(). The fix involves adding a reference count on the smc_connection to track inflight CDC messages that have been posted but not yet completed. This ensures the smc_connection is not released until all inflight messages are processed, preventing premature freeing of the socket. Additionally, the patch replaces the QP reset operation with an error state modification to guarantee all completion queue entries (CQEs) are processed, avoiding use-after-free scenarios. The fix also removes timeouts waiting for pending sends to complete, ensuring all work queue entries (WQEs) are finalized before releasing resources. For IB (InfiniBand) device removal, the patch enforces waiting for all queue pairs (QPs) to be destroyed before destroying completion queues (CQs), ensuring proper cleanup and reference count decrements. This vulnerability is identified as CWE-362 (Race Condition), and it affects Linux kernel versions including the commit 5f08318f617b05b6ee389d8bd174c7af921ebf19. The CVSS v3.1 score is 4.7 (medium), with attack vector local, high attack complexity, low privileges required, no user interaction, and impact limited to availability (system crash). No known exploits are reported in the wild as of the publication date (February 27, 2024).
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running affected Linux kernel versions with SMC enabled, particularly in environments using InfiniBand or similar high-performance networking technologies. The vulnerability can cause kernel panics leading to denial of service (DoS), which may disrupt critical infrastructure, data centers, and cloud services relying on Linux servers. Organizations using Linux-based servers for high-availability applications, financial services, telecommunications, or research computing could experience service interruptions. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact can have cascading effects on business operations and service delivery. The requirement for local access and high attack complexity limits remote exploitation, but insider threats or compromised local accounts could trigger the issue. Given the reliance on Linux in European IT infrastructure, especially in sectors like finance, manufacturing, and government, the vulnerability warrants attention to maintain operational continuity.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2021-46925 as soon as they become available from trusted sources or Linux distributions. 2. For organizations using InfiniBand or SMC features, consider temporarily disabling SMC if patching is not immediately feasible, to prevent exploitation of the race condition. 3. Implement strict access controls and monitoring on systems with local user accounts to reduce the risk of local exploitation. 4. Conduct thorough testing of kernel updates in staging environments to ensure stability and compatibility with existing workloads, especially those involving high-performance networking. 5. Monitor system logs for kernel panics or unusual behavior related to smc_sock or networking subsystems to detect potential exploitation attempts or instability. 6. Maintain up-to-date inventory of Linux kernel versions deployed across the organization to prioritize patching efforts. 7. Collaborate with Linux distribution vendors to receive timely updates and advisories related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-25T13:45:52.719Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9835c4522896dcbea6fa
Added to database: 5/21/2025, 9:09:09 AM
Last enriched: 6/26/2025, 9:52:20 AM
Last updated: 7/25/2025, 9:35:17 AM
Views: 12
Related Threats
CVE-2025-8814: Cross-Site Request Forgery in atjiu pybbs
MediumCVE-2025-8813: Open Redirect in atjiu pybbs
MediumCVE-2025-8812: Cross Site Scripting in atjiu pybbs
MediumCVE-2025-8811: SQL Injection in code-projects Simple Art Gallery
MediumCVE-2025-8810: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.