Linux Kernel RDMA/srpt NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's RDMA/srpt module can lead to a NULL pointer dereference. This issue arises when the 'mad_agent' pointer, used for managing MAD (Management Agent Data) agents, is unregistered without a proper validity check. The vulnerability occurs because the 'mad_agent' can temporarily hold an error value when the functions 'srpt_add_one()' and 'srpt_remove_one()' are executed simultaneously. The problem is exacerbated when the RoCE (RDMA over Converged Ethernet) driver unregisters the associated ib_device, creating a window for the error condition to be exploited.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash of the kernel and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced by simultaneously adding and removing an SRP (SCSI RDMA Protocol) target in the RDMA/srpt module while the RoCE driver is active. This can be done by triggering the 'srpt_add_one()' and 'srpt_remove_one()' functions at the same time, which will cause the 'mad_agent' pointer to hold an error value. When the RoCE driver then unregisters the ib_device, the NULL pointer dereference occurs, crashing the kernel.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.