Linux Kernel RDMA/Irdma CQP Request Data Race Vulnerability

A data race vulnerability has been identified in the Linux kernel's RDMA/Irdma component, specifically within the handling of Completion Queue Processor (CQP) requests. This vulnerability affects the memory location of the CQP request's 'request_done' flag, which is accessed without proper synchronization in the 'irdma_handle_cqp_op' function. The lack of locking allows for concurrent read and write operations by different tasks, leading to potential inconsistencies. The issue was detected by the Kernel Concurrency Sanitizer (KCSAN), which reported the data race as a bug. The vulnerability arises because the 'request_done' flag is updated in the 'irdma_cqp_ce_handler' function while being read in a lockless manner, creating a race condition that could be exploited to disrupt the normal processing of CQP commands.

Impact

Exploitation of this vulnerability can lead to a data race condition, causing unpredictable behavior in the handling of CQP requests within the RDMA/Irdma component.

Reproduction

The vulnerability can be reproduced by loading the RDMA/Irdma driver and performing operations that involve the Completion Queue Processor (CQP) commands. The Kernel Concurrency Sanitizer (KCSAN) can be used to detect the data race condition on the 'request_done' flag, which is accessed locklessly in the 'irdma_handle_cqp_op' function while being updated in the 'irdma_cqp_ce_handler' function.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The patch has been included in the official Linux kernel repository.