Linux Kernel RDMA/rxe Null Pointer Dereference Vulnerability in rxe_qp_do_cleanup()

A null pointer dereference vulnerability has been identified in the Linux kernel's RDMA/rxe component. This issue occurs in the function rxe_qp_do_cleanup() when the socket creation fails, leading to a read of an invalid memory address. The vulnerability manifests as a bug reported by KASAN, indicating a null pointer dereference while the CIFS filesystem is being mounted over RDMA. The problem arises because the socket creation failure is not properly handled, allowing a cleanup function to access a null reference.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a crash of the affected process. This type of vulnerability can often be exploited to create a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by attempting to mount the CIFS filesystem over RDMA using the Soft RoCE driver. This process will trigger the null pointer dereference in the RDMA/rxe component, specifically in the rxe_qp_do_cleanup() function, in response to a failed socket creation.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit that addresses this issue is available in the Linux kernel stable tree.