net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint

Summary

CVE	CVE-2026-52941
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-24 08:16:24 UTC
Updated	2026-06-24 08:16:24 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint The smc_msg_event tracepoint class, shared by smc_tx_sendmsg and smc_rx_recvmsg, unconditionally dereferences smc->conn.lnk: __string(name, smc->conn.lnk->ibname) conn->lnk is only set for SMC-R; for SMC-D it is NULL. Other code on these paths already handles this (e.g. !conn->lnk in SMC_STAT_RMB_TX_SIZE_SMALL()). With the tracepoint enabled, the first sendmsg()/recvmsg() on an SMC-D socket crashes: Oops: general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [...] RIP: 0010:strlen+0x1e/0xa0 Call Trace: trace_event_raw_event_smc_msg_event (net/smc/smc_tracepoint.h:44) smc_rx_recvmsg (net/smc/smc_rx.c:515) smc_recvmsg (net/smc/af_smc.c:2859) __sys_recvfrom (net/socket.c:2315) __x64_sys_recvfrom (net/socket.c:2326) do_syscall_64 The faulting address 0x3e0 is offsetof(struct smc_link, ibname), confirming the NULL ->lnk deref. Enabling the tracepoint requires root, but the trigger itself is unprivileged: socket(AF_SMC, ...) has no capability check, and SMC-D negotiation needs no admin step on s390 or on x86 with the loopback ISM device loaded. Log an empty device name for SMC-D instead of dereferencing NULL.

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 68200112534bb2acd1d7117dc2d5c124868d866d git	Not specified
CNA	Linux	Linux	affected aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 720c76b930c52cd58f50eb6b10569d03dccc7959 git	Not specified
CNA	Linux	Linux	affected aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 b706d6d76a2a2793fe5ad0fbc2a75b6a460094ef git	Not specified
CNA	Linux	Linux	affected aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 d2ea0b8aef8746e147602eac87ca8538f4bc7e66 git	Not specified
CNA	Linux	Linux	affected aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 561cf66fa9b6c86dfe4e687d2d1aeaaa6739917f git	Not specified
CNA	Linux	Linux	affected aff3083f10bff7a37eaa2b4e6bc5fb627ddd5f84 7bf563badd37cb796df5477d2b78bb64148a1268 git	Not specified
CNA	Linux	Linux	affected 5.16	Not specified
CNA	Linux	Linux	unaffected 5.16 semver	Not specified
CNA	Linux	Linux	unaffected 6.1.175 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.142 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.92 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.34 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.11 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/720c76b930c52cd58f50eb6b10569d03dccc7959	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/68200112534bb2acd1d7117dc2d5c124868d866d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d2ea0b8aef8746e147602eac87ca8538f4bc7e66	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/b706d6d76a2a2793fe5ad0fbc2a75b6a460094ef	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/561cf66fa9b6c86dfe4e687d2d1aeaaa6739917f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/7bf563badd37cb796df5477d2b78bb64148a1268	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.