Linux Kernel RDMA/umem Double dma_buf_unpin Vulnerability

A vulnerability in the Linux kernel's RDMA/umem component can lead to a double unpinning of a dma_buf, which may cause memory management issues. This vulnerability is present in the stable Linux kernel versions that include the problematic code, specifically in the RDMA/umem handling of dma_bufs. The issue arises in the function 'ib_umem_dmabuf_get_pinned_with_dma_device()', where the mapping of pages can fail. When this happens, the dma_buf is unpinned, but the corresponding 'pinned' flag remains set. Consequently, when 'ib_umem_release()' is called, it attempts to unpin the dma_buf again, leading to a double unpinning scenario.

Impact

Exploitation of this vulnerability can cause improper memory management by double unpinning a dma_buf, which can lead to memory corruption or other undefined behaviors in the kernel.

Reproduction

To reproduce this vulnerability, use a Linux kernel version that includes the vulnerable RDMA/umem code. The vulnerability can be triggered by pinning a dma_buf through the RDMA/umem interface and then causing the 'ib_umem_dmabuf_map_pages()' call to fail. This failure will unpin the dma_buf while leaving the 'pinned' flag set. When 'ib_umem_release()' is subsequently called, it will attempt to unpin the dma_buf again, creating a double unpin scenario.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is '104016eb671e19709721c1b0048dd912dc2e96be', which is included in the official Linux kernel repositories.