Linux Kernel RDMA/rxe Race Condition Vulnerability in Task Management

A race condition vulnerability has been identified in the Linux kernel's RDMA/rxe component, specifically within the task management function 'do_task()'. This vulnerability arises when 'do_task()' exhausts its iteration budget and attempts to reschedule the task without properly checking its current state. This oversight can lead to the incorrect overwriting of the 'TASK_STATE_DRAINING' status, which is set by concurrent cleanup functions. The issue, which can cause a use-after-free error, was introduced during a transition from tasklets to workqueues, where critical state management was lost. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a race condition that causes a use-after-free error, potentially allowing for memory corruption or other unintended behavior in the system.

Reproduction

The vulnerability can be reproduced by invoking the 'do_task()' function in a scenario where it hits its iteration limit and acquires the lock while another function, such as 'rxe_cleanup_task()' or 'rxe_disable_task()', is concurrently draining the task. This creates a window where 'do_task()' can incorrectly reschedule the task, leading to the race condition.

Remediation

The vulnerability has been addressed by restoring the original behavior prior to the migration to workqueues. The fix involves adding a check to ensure that if the task is in the 'TASK_STATE_DRAINING' state when the iteration limit is reached, it will continue processing until the task has fully drained before rescheduling.