In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix wrong list_del in smc_lgr_cleanup_early
smc_lgr_cleanup_early() meant to delete the link group from the link group
list, but it deleted the list head by mistake. This may cause memory
corruption since we didn’t remove the real link group from the list and
later memseted the link group structure. We got a list corruption panic
when testing: [ 231.277259] list_del corruption. prev->next should be
ffff8881398a8000, but was 0000000000000000 [ 231.278222] ------------[ cut
here ]------------ [ 231.278726] kernel BUG at lib/list_debug.c:53! [
231.279326] invalid opcode: 0000 [#1] SMP NOPTI [ 231.279803] CPU: 0 PID: 5
Comm: kworker/0:0 Not tainted 5.10.46+ #435 [ 231.280466] Hardware name:
Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014 [ 231.281248] Workqueue: events
smc_link_down_work [ 231.281732] RIP: 0010:__list_del_entry_valid+0x70/0x90
[ 231.282258] Code: 4c 60 82 e8 7d cc 6a 00 0f 0b 48 89 fe 48 c7 c7 88 4c
60 82 e8 6c cc 6a 00 0f 0b 48 89 fe 48 c7 c7 c0 4c 60 82 e8 5b cc 6a 00
<0f> 0b 48 89 fe 48 c7 c7 00 4d 60 82 e8 4a cc 6a 00 0f 0b cc cc cc [
231.284146] RSP: 0018:ffffc90000033d58 EFLAGS: 00010292 [ 231.284685] RAX:
0000000000000054 RBX: ffff8881398a8000 RCX: 0000000000000000 [ 231.285415]
RDX: 0000000000000001 RSI: ffff88813bc18040 RDI: ffff88813bc18040 [
231.286141] RBP: ffffffff8305ad40 R08: 0000000000000003 R09:
0000000000000001 [ 231.286873] R10: ffffffff82803da0 R11: ffffc90000033b90
R12: 0000000000000001 [ 231.287606] R13: 0000000000000000 R14:
ffff8881398a8000 R15: 0000000000000003 [ 231.288337] FS:
0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 [
231.289160] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 231.289754]
CR2: 0000000000e72058 CR3: 000000010fa96006 CR4: 00000000003706f0 [
231.290485] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000 [ 231.291211] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400 [ 231.291940] Call Trace: [ 231.292211]
smc_lgr_terminate_sched+0x53/0xa0 [ 231.292677] smc_switch_conns+0x75/0x6b0
[ 231.293085] ? update_load_avg+0x1a6/0x590 [ 231.293517] ?
ttwu_do_wakeup+0x17/0x150 [ 231.293907] ? update_load_avg+0x1a6/0x590 [
231.294317] ? newidle_balance+0xca/0x3d0 [ 231.294716]
smcr_link_down+0x50/0x1a0 [ 231.295090] ? __wake_up_common_lock+0x77/0x90 [
231.295534] smc_link_down_work+0x46/0x60 [ 231.295933]
process_one_work+0x18b/0x350
git.kernel.org/linus/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba (5.16-rc4)
git.kernel.org/stable/c/77731fede297a23d26f2d169b4269466b2c82529
git.kernel.org/stable/c/789b6cc2a5f9123b9c549b886fdc47c865cfe0ba
git.kernel.org/stable/c/95518fe354d712dca6f431cf2a11b8f63bc9a66c
launchpad.net/bugs/cve/CVE-2021-47536
nvd.nist.gov/vuln/detail/CVE-2021-47536
security-tracker.debian.org/tracker/CVE-2021-47536
www.cve.org/CVERecord?id=CVE-2021-47536