{ "threat_severity" : "Low", "public_date" : "2025-09-15T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Denial of Service via deadlock in net/smc", "id" : "2395339", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2395339" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-833", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/smc: fix deadlock triggered by cancel_delayed_work_syn()\nThe following LOCKDEP was detected:\nWorkqueue: events smc_lgr_free_work [smc]\nWARNING: possible circular locking dependency detected\n6.1.0-20221027.rc2.git8.56bc5b569087.300.fc36.s390x+debug #1 Not tainted\n------------------------------------------------------\nkworker/3:0/176251 is trying to acquire lock:\n00000000f1467148 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0},\nat: __flush_workqueue+0x7a/0x4f0\nbut task is already holding lock:\n0000037fffe97dc8 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0},\nat: process_one_work+0x232/0x730\nwhich lock already depends on the new lock.\nthe existing dependency chain (in reverse order) is:\n-> #4 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0}:\n__lock_acquire+0x58e/0xbd8\nlock_acquire.part.0+0xe2/0x248\nlock_acquire+0xac/0x1c8\n__flush_work+0x76/0xf0\n__cancel_work_timer+0x170/0x220\n__smc_lgr_terminate.part.0+0x34/0x1c0 [smc]\nsmc_connect_rdma+0x15e/0x418 [smc]\n__smc_connect+0x234/0x480 [smc]\nsmc_connect+0x1d6/0x230 [smc]\n__sys_connect+0x90/0xc0\n__do_sys_socketcall+0x186/0x370\n__do_syscall+0x1da/0x208\nsystem_call+0x82/0xb0\n-> #3 (smc_client_lgr_pending){+.+.}-{3:3}:\n__lock_acquire+0x58e/0xbd8\nlock_acquire.part.0+0xe2/0x248\nlock_acquire+0xac/0x1c8\n__mutex_lock+0x96/0x8e8\nmutex_lock_nested+0x32/0x40\nsmc_connect_rdma+0xa4/0x418 [smc]\n__smc_connect+0x234/0x480 [smc]\nsmc_connect+0x1d6/0x230 [smc]\n__sys_connect+0x90/0xc0\n__do_sys_socketcall+0x186/0x370\n__do_syscall+0x1da/0x208\nsystem_call+0x82/0xb0\n-> #2 (sk_lock-AF_SMC){+.+.}-{0:0}:\n__lock_acquire+0x58e/0xbd8\nlock_acquire.part.0+0xe2/0x248\nlock_acquire+0xac/0x1c8\nlock_sock_nested+0x46/0xa8\nsmc_tx_work+0x34/0x50 [smc]\nprocess_one_work+0x30c/0x730\nworker_thread+0x62/0x420\nkthread+0x138/0x150\n__ret_from_fork+0x3c/0x58\nret_from_fork+0xa/0x40\n-> #1 ((work_completion)(&(&smc->conn.tx_work)->work)){+.+.}-{0:0}:\n__lock_acquire+0x58e/0xbd8\nlock_acquire.part.0+0xe2/0x248\nlock_acquire+0xac/0x1c8\nprocess_one_work+0x2bc/0x730\nworker_thread+0x62/0x420\nkthread+0x138/0x150\n__ret_from_fork+0x3c/0x58\nret_from_fork+0xa/0x40\n-> #0 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0}:\ncheck_prev_add+0xd8/0xe88\nvalidate_chain+0x70c/0xb20\n__lock_acquire+0x58e/0xbd8\nlock_acquire.part.0+0xe2/0x248\nlock_acquire+0xac/0x1c8\n__flush_workqueue+0xaa/0x4f0\ndrain_workqueue+0xaa/0x158\ndestroy_workqueue+0x44/0x2d8\nsmc_lgr_free+0x9e/0xf8 [smc]\nprocess_one_work+0x30c/0x730\nworker_thread+0x62/0x420\nkthread+0x138/0x150\n__ret_from_fork+0x3c/0x58\nret_from_fork+0xa/0x40\nother info that might help us debug this:\nChain exists of:\n(wq_completion)smc_tx_wq-00000000#2\n--> smc_client_lgr_pending\n--> (work_completion)(&(&lgr->free_work)->work)\nPossible unsafe locking scenario:\nCPU0 CPU1\n---- ----\nlock((work_completion)(&(&lgr->free_work)->work));\nlock(smc_client_lgr_pending);\nlock((work_completion)\n(&(&lgr->free_work)->work));\nlock((wq_completion)smc_tx_wq-00000000#2);\n*** DEADLOCK ***\n2 locks held by kworker/3:0/176251:\n#0: 0000000080183548\n((wq_completion)events){+.+.}-{0:0},\nat: process_one_work+0x232/0x730\n#1: 0000037fffe97dc8\n((work_completion)\n(&(&lgr->free_work)->work)){+.+.}-{0:0},\nat: process_one_work+0x232/0x730\nstack backtr\n---truncated---", "A flaw was found in the Linux kernel's Server Message Block (SMB) over Remote Direct Memory Access (RDMA) (net/smc) module. This vulnerability allows a local user to trigger a deadlock within the system. The deadlock occurs due to a circular locking dependency when specific operations involving `cancel_delayed_work_syn()` are performed. Successful exploitation of this flaw can lead to a system crash, resulting in a Denial of Service (DoS)." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53233\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53233\nhttps://lore.kernel.org/linux-cve-announce/2025091515-CVE-2023-53233-8c6b@gregkh/T" ], "name" : "CVE-2023-53233", "csaw" : false }