Linux Kernel RDMA/SIW IW_CM_EVENT_CONNECT_REPLY Event Handling Vulnerability

A vulnerability in the Linux kernel's RDMA/SIW component relates to improper event handling for connection replies. When the 'siw_recv_mpa_rr' function returns a temporary error indicating that the MPA reply has not been fully received, the 'IW_CM_EVENT_CONNECT_REPLY' event should not be reported. Failing to do so can trigger a call trace in the 'iw_cm' module, potentially leading to a kernel bug. This issue can be reproduced by using the 'ib_send_lat' command with a specified server IP, which will generate the erroneous event handling.

Impact

Exploitation of this vulnerability causes a kernel bug due to an invalid opcode, leading to a call trace that can disrupt normal kernel operations.

Reproduction

To reproduce this vulnerability, initiate a connection from a client to a server using the 'ib_send_lat' command. The client should include the '-R' option followed by the server's IP address. This will trigger the 'IW_CM_EVENT_CONNECT_REPLY' event before the MPA reply has been fully received, causing the improper event handling that leads to the vulnerability.