Linux Kernel RDMA/Irdma Double Free Vulnerability in Memory Region Re-registration

A double free vulnerability has been identified in the Linux kernel's RDMA/Irdma component, specifically related to the re-registration of user memory regions. This issue arises when the IB_MR_REREG_TRANS flag is set during the re-registration process. In such cases, the user memory (umem) is released and a new one is allocated. If any step of the re-registration process fails after the new umem is allocated, the umem is released but the corresponding region pointer is not cleared. This oversight allows the failure to be propagated to the user, who then correctly calls the deregistration function. However, the deregistration process encounters a non-NULL umem and attempts to release it again, leading to a double free condition.

Impact

Exploitation of this vulnerability causes a double free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, set the IB_MR_REREG_TRANS flag during the re-registration of a user memory region in the RDMA/Irdma component. If the re-registration process fails after a new user memory is allocated, the failure will be propagated to the user, who will then call the deregistration function. The deregistration process will see a non-NULL user memory and attempt to release it again, causing a double free condition.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version that includes the fix.