Linux Kernel RDMA/Irdma Free QP Completion Initialization Vulnerability

A vulnerability exists in the Linux kernel's RDMA/Irdma component, specifically within the 'irdma_create_qp' function. When the 'ib_copy_to_udata' function fails, the 'irdma_destroy_qp' function is called to clean up. However, this cleanup process attempts to wait on the 'free_qp' completion, which has not been initialized. This issue affects several versions of the Linux kernel.

Impact

The vulnerability can lead to a use-after-free condition, where the 'irdma_destroy_qp' function tries to access the 'free_qp' completion before it has been properly initialized. This can cause undefined behavior, potentially leading to memory corruption or other serious issues.

Reproduction

To reproduce this vulnerability, create a queue pair (QP) using the 'irdma_create_qp' function. If the 'ib_copy_to_udata' function fails, the 'irdma_destroy_qp' function will be called. This function will attempt to wait on the 'free_qp' completion, which has not been initialized, leading to a use-after-free condition.

Remediation

The vulnerability has been fixed by initializing the 'free_qp' completion before the 'ib_copy_to_udata' call. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.