ACK: [SRU Focal,Bionic,hwe-5.8 0/3] CVE-2020-36385
stefan.bader at canonical.com
Thu Oct 14 08:18:21 UTC 2021
On 12.10.21 00:08, Thadeu Lima de Souza Cascardo wrote:
> If rdma_ucm is loaded, a unprivileged user could cause a UAF during a race
> between RDMA_USER_CM_CMD_MIGRATE_ID+close and RDMA_USER_CM_CMD_DESTROY_ID.
> [Test case]
> A test case that leads to soft lockup was tested. After the fixes, there was no
> lockup and the program could be interrupted after multiple runs.
> Two other commits were backported because they introduce rdma_lock_handler.
> This one was necessary instead of rewriting the code to keep ucma_lock_files,
> which would be error-prone. Simply omitting rdma_lock_handler could potentially
> lead to other race conditions against the ucma event handlers.
> [Potential regression]
> Other race conditions on the UCMA/CMA code could have been mistakenly
> Jason Gunthorpe (3):
> RDMA/cma: Add missing locking to rdma_accept()
> RDMA/ucma: Fix the locking of ctx->file
> RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy
> drivers/infiniband/core/cma.c | 25 +++++++--
> drivers/infiniband/core/ucma.c | 96 +++++++++++++++-------------------
> include/rdma/rdma_cm.h | 6 +++
> 3 files changed, 70 insertions(+), 57 deletions(-)
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the kernel-team