Linux Kernel SMB Client Post-Receive Work Cancellation Vulnerability

A vulnerability exists in the Linux kernel's SMB client implementation, specifically within the 'smbd_destroy' function of the SMB Direct protocol. This issue arises because the function may prematurely destroy memory before ensuring that all pending post-send credit work has been completed. The vulnerability can be triggered when the RDMA (Remote Direct Memory Access) layer processes a receive buffer after the associated queue pair has been destroyed, leading to a potential use-after-free scenario.

Impact

The vulnerability can cause a use-after-free condition, where memory is accessed after it has been freed, potentially leading to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by establishing an SMB Direct connection using the CIFS (Common Internet File System) client. Once the connection is active, the RDMA queue pair can be destroyed while there is still pending post-send credit work. This can be done by manually triggering the 'ib_drain_qp' function, which drains the queue pair and causes the 'post_send_credits_work' to be queued for execution. If the 'smbd_destroy' function is called before the queued work is processed, the vulnerability will be triggered.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation.