[SRU Focal,Bionic,hwe-5.8 0/3] CVE-2020-36385
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Mon Oct 11 22:08:10 UTC 2021
If rdma_ucm is loaded, a unprivileged user could cause a UAF during a race
between RDMA_USER_CM_CMD_MIGRATE_ID+close and RDMA_USER_CM_CMD_DESTROY_ID.
A test case that leads to soft lockup was tested. After the fixes, there was no
lockup and the program could be interrupted after multiple runs.
Two other commits were backported because they introduce rdma_lock_handler.
This one was necessary instead of rewriting the code to keep ucma_lock_files,
which would be error-prone. Simply omitting rdma_lock_handler could potentially
lead to other race conditions against the ucma event handlers.
Other race conditions on the UCMA/CMA code could have been mistakenly
Jason Gunthorpe (3):
RDMA/cma: Add missing locking to rdma_accept()
RDMA/ucma: Fix the locking of ctx->file
RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy
drivers/infiniband/core/cma.c | 25 +++++++--
drivers/infiniband/core/ucma.c | 96 +++++++++++++++-------------------
include/rdma/rdma_cm.h | 6 +++
3 files changed, 70 insertions(+), 57 deletions(-)
More information about the kernel-team