Linux Kernel RDMA/IWCM Component Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's RDMA/iwcm component. This issue arises during the destruction of connection management (CM) identifiers, where work objects associated with the CM identifiers can be improperly accessed after they have been freed. The vulnerability was introduced by a commit that changed how CM ID resources are managed, allowing event handler work to reference a CM ID private object that was in the process of being destroyed. Although a subsequent commit attempted to address this by flushing pending works before destruction, another use-after-free scenario remained. This occurs when the last reference to a CM ID is decremented within an event handler work, leading to a bug where the associated work object is freed while still in use.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, causing a memory corruption bug that can be exploited to manipulate memory in a way that could potentially execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by running the blktests test case 'nvme/061' with the RDMA transport and the SIW driver. This test case will trigger the event handler work that improperly manages the references to the CM ID, creating the use-after-free condition.