ACK: [SRU Focal,Bionic,hwe-5.8 0/3] CVE-2020-36385
Kleber Souza
kleber.souza at canonical.com
Tue Oct 12 15:27:02 UTC 2021
On 12.10.21 00:08, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> If rdma_ucm is loaded, a unprivileged user could cause a UAF during a race
> between RDMA_USER_CM_CMD_MIGRATE_ID+close and RDMA_USER_CM_CMD_DESTROY_ID.
>
> [Test case]
> A test case that leads to soft lockup was tested. After the fixes, there was no
> lockup and the program could be interrupted after multiple runs.
>
> [Backport]
> Two other commits were backported because they introduce rdma_lock_handler.
> This one was necessary instead of rewriting the code to keep ucma_lock_files,
> which would be error-prone. Simply omitting rdma_lock_handler could potentially
> lead to other race conditions against the ucma event handlers.
>
> [Potential regression]
> Other race conditions on the UCMA/CMA code could have been mistakenly
> introduced.
>
>
> Jason Gunthorpe (3):
> RDMA/cma: Add missing locking to rdma_accept()
> RDMA/ucma: Fix the locking of ctx->file
> RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy
>
> drivers/infiniband/core/cma.c | 25 +++++++--
> drivers/infiniband/core/ucma.c | 96 +++++++++++++++-------------------
> include/rdma/rdma_cm.h | 6 +++
> 3 files changed, 70 insertions(+), 57 deletions(-)
>
The backports look good.
Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
Thanks
More information about the kernel-team
mailing list