In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0] If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket. However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp…
GHSA-3h9m-xfjq-9f2f: In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in...
A use-after-free vulnerability in the Linux kernel's tcp_write_timer_handler() function has been resolved, affecting kernel TCP sockets created by SMC.