Linux Kernel RDMA/siw QP Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's RDMA/siw component, specifically within the handling of Queue Pair (QP) destruction. This issue arises because the QP destroy process does not wait for all references to be released, leading to a situation where a QP can be accessed after it has been freed. The vulnerability was discovered during testing of NFSoRDMA, where a delayed response to a TCP connection drop resulted in a reference to a QP that had already been deallocated.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to cause memory corruption or execute arbitrary code.

Reproduction

The vulnerability can be reproduced by running the xfstest suite, specifically the generic/460 test, while using NFSoRDMA. This test will simulate a TCP connection drop, causing the siw_cm_work_handler to reference a QP that has already been destroyed, creating a use-after-free scenario.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.