Linux Kernel Use-After-Free Vulnerability in mlx5 Command Interface

A use-after-free vulnerability has been identified in the Linux kernel's mlx5 command interface. This issue arises from a race condition between the 'mlx5_cmd_cleanup_async_ctx' function and the 'mlx5_cmd_exec_cb_handler' callback. The vulnerability occurs when 'mlx5_cmd_cleanup_async_ctx' is called while there are active callbacks in flight, leading to the potential for a callback to access a freed object. The problem has been traced and confirmed using Kernel Address Sanitizer (KASAN), which reported the use-after-free error.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where a freed object is accessed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by initializing an asynchronous command context with two inflight callbacks. While one callback is still in progress, invoke 'mlx5_cmd_cleanup_async_ctx', which will reduce the count of active callbacks. Once the count reaches one, the 'mlx5_cmd_exec_cb_handler' can be called, completing the callback process and reducing the count to zero. At this point, 'mlx5_cmd_cleanup_async_ctx' can be made to wait for the completion of callbacks, but if it returns before all callbacks are finished, the context object can be freed prematurely. This freed object can then be accessed by the callback handler, triggering the use-after-free condition.

Remediation

Users can apply the patch available in the Linux kernel stable tree to address this vulnerability. The patch synchronizes the cleanup process by using a completion object, ensuring that all callback handlers have finished before the context object is freed.