Linux Kernel RDMA/cma Workqueue Crash Vulnerability

A vulnerability in the Linux kernel's RDMA (Remote Direct Memory Access) component has been identified, where a workqueue crash can occur. This issue arises in the connection management (cma) layer, specifically within the cma_netevent_work_handler function. The vulnerability is related to the improper handling of work items for the rdma_cm_id structure. When multiple calls to cma_netevent_callback occur in quick succession, the net_work member, which is a work_struct, can be overwritten. This leads to a NULL pointer dereference crash, as the work item may not be processed before being replaced, causing a kernel panic.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a crash. This was observed in a workqueue handling event callbacks, where the overwritten work item management resulted in a NULL pointer dereference, crashing the kernel thread processing the work.