Linux Kernel PREEMPT_RT Devmap Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's PREEMPT_RT configuration, specifically within the devmap handling of the XDP (Express Data Path) framework. This vulnerability arises because the per-CPU XDP bulk queue can be accessed simultaneously by multiple preemptible tasks on the same CPU. The issue stems from the incorrect assumption that the functions 'bq_enqueue()' and '__dev_flush()' would execute atomically on the same CPU. The reliance on 'local_bh_disable()' to prevent preemption is flawed in the PREEMPT_RT context, where it does not effectively disable preemption, allowing task interruptions that can lead to concurrent modifications of shared data. As a result, several race conditions can occur, including double-free or use-after-free errors, corruption of queue management data, and improper handling of frame transmission during device teardown operations.

Impact

Exploitation of this vulnerability can lead to memory management errors such as double-free or use-after-free conditions, where the same memory is freed multiple times or accessed after being released, respectively. Such conditions can cause memory corruption, potentially leading to arbitrary code execution or other severe consequences.

Reproduction

To reproduce this vulnerability, initiate multiple preemptible tasks on the same CPU in a PREEMPT_RT kernel environment. These tasks should concurrently invoke 'bq_enqueue()' and '__dev_flush()' on the same per-CPU XDP bulk queue. The lack of proper preemption control will allow the tasks to interfere with each other, creating the race conditions described.

Remediation

The vulnerability has been addressed by adding a local lock to the XDP bulk queue structure and modifying the 'bq_enqueue()' and '__dev_flush()' functions to acquire this lock. This change ensures that access to the bulk queue is serialized, preventing concurrent modifications that could lead to race conditions. Users should upgrade to the patched version of the Linux kernel where this fix is applied.