Linux Kernel RDMA/EFA Resource Deallocation Order Vulnerability

A vulnerability exists in the Linux kernel's RDMA/EFA component, specifically related to the order of resource deallocation when destroying Queue Pairs (QPs) or Completion Queues (CQs). The issue arises because the reference count is decreased and memory regions may be freed before the device is requested to destroy the object. If the device fails to complete the destruction, the object remains partially intact, leading to a situation where the reference count can underflow by attempting to decrement an already zeroed count. This vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can cause a reference count underflow, potentially leading to memory corruption or other unintended behavior in the RDMA/EFA component.

Reproduction

To reproduce this vulnerability, create a Queue Pair (QP) or Completion Queue (CQ) in the RDMA/EFA component of the Linux kernel. Then, initiate the destruction process. The vulnerability will manifest if the device fails to fully destroy the object, allowing the user or InfiniBand core to attempt the destruction again, which will cause an underflow in the reference count.

Remediation

The vulnerability has been addressed by modifying the resource deallocation process to occur in the reverse order of allocation, ensuring that resources are freed safely. Users can apply the latest patches available in the Linux kernel stable tree to mitigate this issue.