Linux Kernel NULL Pointer Dereference Vulnerability in SMC-R Transmission Handler

A vulnerability in the Linux kernel's SMC-R (Socket Memory Copy Remote Direct Memory Access) implementation can lead to a NULL pointer dereference, causing a kernel panic. This issue occurs in the transmission handler of SMC connections when the 'sndbuf_desc' (send buffer descriptor) is NULL. The vulnerability is triggered by a race condition between terminating all link groups and creating new buffer descriptors, particularly under stress testing conditions.

Impact

Exploitation of this vulnerability can cause a kernel panic, leading to a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by performing a stress test on the SMC-R protocol while the mlx5_ib driver is unloaded. During this test, all link groups are terminated, which can create a race condition that leaves the send buffer descriptor NULL. When the transmission handler attempts to read the length of the buffer, it encounters a NULL pointer, causing a panic.

Remediation

The vulnerability has been addressed in the official Linux kernel repository. Users should upgrade to the latest version.