[SRU Focal,Bionic,hwe-5.8 0/3] CVE-2020-36385

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Mon Oct 11 22:08:10 UTC 2021

If rdma_ucm is loaded, a unprivileged user could cause a UAF during a race

[Test case]
A test case that leads to soft lockup was tested. After the fixes, there was no
lockup and the program could be interrupted after multiple runs.

Two other commits were backported because they introduce rdma_lock_handler.
This one was necessary instead of rewriting the code to keep ucma_lock_files,
which would be error-prone. Simply omitting rdma_lock_handler could potentially
lead to other race conditions against the ucma event handlers.

[Potential regression]
Other race conditions on the UCMA/CMA code could have been mistakenly

Jason Gunthorpe (3):
  RDMA/cma: Add missing locking to rdma_accept()
  RDMA/ucma: Fix the locking of ctx->file
  RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

 drivers/infiniband/core/cma.c  | 25 +++++++--
 drivers/infiniband/core/ucma.c | 96 +++++++++++++++-------------------
 include/rdma/rdma_cm.h         |  6 +++
 3 files changed, 70 insertions(+), 57 deletions(-)


More information about the kernel-team mailing list