Linux Kernel SMBDirect Receive Credit Management Vulnerability

A vulnerability in the Linux kernel's SMBDirect implementation has been addressed. The issue arose from a race condition in managing receive credits, which are crucial for the proper functioning of the SMBDirect protocol. The original logic counted posted receive I/O messages and granted credits, but this approach was flawed. There was a potential window where credits could be incorrectly granted after a peer had already consumed them, leading to a mismatch in credit availability. To resolve this, a dedicated counter for available credits has been introduced, ensuring accurate tracking by incrementing the count when new receive buffers are posted and decrementing it when credits are granted to the peer.

Impact

This vulnerability could lead to improper management of receive credits in the SMBDirect protocol, potentially causing communication issues or inefficiencies.

Reproduction

The vulnerability can be reproduced by using the SMBDirect feature in the Linux kernel prior to the patch. The race condition can be triggered by having a peer consume a credit while another process is still in the midst of processing the completion of received data, creating a window of opportunity for credits to be mismanaged.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.