Linux Kernel RDMA/bnxt_re Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's RDMA/bnxt_re component. This issue arises from an improper order of operations when deallocating an RDMA device, specifically within the auxiliary driver interface. The vulnerability affects the stable versions of the Linux kernel.

Impact

The vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service by accessing freed memory.

Reproduction

To reproduce this vulnerability, remove an RDMA device managed by the bnxt_re driver. During the removal process, the device's resources are cleaned up, but the deallocation of the device itself is improperly sequenced. The ib_dealloc_device() function is called before the device has been fully cleaned up, creating a window where the device's memory can be accessed after it has been freed, leading to a use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.