Linux Kernel RDMA/mlx5 Component Use-After-Free Vulnerability During Resource Destruction

A use-after-free vulnerability has been identified in the Linux kernel's RDMA mlx5 component. This issue arises when a Receive Queue (RQ) is destroyed and the corresponding firmware command fails. In such cases, some software resources are prematurely cleaned up, leading to a potential use-after-free scenario if the object is destroyed again. The vulnerability has been traced back to a refcount underflow, causing a warning about the use-after-free condition.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, which can potentially be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a Receive Queue (RQ) in the RDMA mlx5 component and then initiating its destruction. If the firmware command fails during this process, the RQ's software resources will be incorrectly cleared. Attempting to destroy the RQ again will trigger the use-after-free vulnerability, as the reference count will have underflowed, creating a situation where freed memory can be accessed improperly.