APPLIED: [SRU Focal,Bionic,hwe-5.8 0/3] CVE-2020-36385
Kleber Souza
kleber.souza at canonical.com
Thu Oct 14 14:56:45 UTC 2021
On 12.10.21 00:08, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> If rdma_ucm is loaded, a unprivileged user could cause a UAF during a race
> between RDMA_USER_CM_CMD_MIGRATE_ID+close and RDMA_USER_CM_CMD_DESTROY_ID.
>
> [Test case]
> A test case that leads to soft lockup was tested. After the fixes, there was no
> lockup and the program could be interrupted after multiple runs.
>
> [Backport]
> Two other commits were backported because they introduce rdma_lock_handler.
> This one was necessary instead of rewriting the code to keep ucma_lock_files,
> which would be error-prone. Simply omitting rdma_lock_handler could potentially
> lead to other race conditions against the ucma event handlers.
>
> [Potential regression]
> Other race conditions on the UCMA/CMA code could have been mistakenly
> introduced.
>
>
> Jason Gunthorpe (3):
> RDMA/cma: Add missing locking to rdma_accept()
> RDMA/ucma: Fix the locking of ctx->file
> RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy
>
> drivers/infiniband/core/cma.c | 25 +++++++--
> drivers/infiniband/core/ucma.c | 96 +++++++++++++++-------------------
> include/rdma/rdma_cm.h | 6 +++
> 3 files changed, 70 insertions(+), 57 deletions(-)
>
Applied to bionic:linux, focal:linux and focal:linux-hwe-5.8.
Thanks,
Kleber
More information about the kernel-team
mailing list