ACK: [SRU Focal,Bionic,hwe-5.8 0/3] CVE-2020-36385
Stefan Bader
stefan.bader at canonical.com
Thu Oct 14 08:18:21 UTC 2021
On 12.10.21 00:08, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> If rdma_ucm is loaded, a unprivileged user could cause a UAF during a race
> between RDMA_USER_CM_CMD_MIGRATE_ID+close and RDMA_USER_CM_CMD_DESTROY_ID.
>
> [Test case]
> A test case that leads to soft lockup was tested. After the fixes, there was no
> lockup and the program could be interrupted after multiple runs.
>
> [Backport]
> Two other commits were backported because they introduce rdma_lock_handler.
> This one was necessary instead of rewriting the code to keep ucma_lock_files,
> which would be error-prone. Simply omitting rdma_lock_handler could potentially
> lead to other race conditions against the ucma event handlers.
>
> [Potential regression]
> Other race conditions on the UCMA/CMA code could have been mistakenly
> introduced.
>
>
> Jason Gunthorpe (3):
> RDMA/cma: Add missing locking to rdma_accept()
> RDMA/ucma: Fix the locking of ctx->file
> RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy
>
> drivers/infiniband/core/cma.c | 25 +++++++--
> drivers/infiniband/core/ucma.c | 96 +++++++++++++++-------------------
> include/rdma/rdma_cm.h | 6 +++
> 3 files changed, 70 insertions(+), 57 deletions(-)
>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20211014/cbfcf971/attachment.sig>
More information about the kernel-team
mailing list