In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt
In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to the
resp_pkts queue and then a decision is made whether to run the completer
task inline or schedule it. Finally the skb is dereferenced to bump a ‘hw’
performance counter. This is wrong because if the completer task is
already running in a separate thread it may have already processed the skb
and freed it which can cause a seg fault. This has been observed
infrequently in testing at high scale.
This patch fixes this by changing the order of enqueuing the packet until
after the counter is accessed.
[
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "0b1e5b99a48b",
"lessThan": "faa8d0ecf6c9",
"versionType": "git"
},
{
"status": "affected",
"version": "0b1e5b99a48b",
"lessThan": "21b4c6d4d890",
"versionType": "git"
},
{
"status": "affected",
"version": "0b1e5b99a48b",
"lessThan": "bbad88f111a1",
"versionType": "git"
},
{
"status": "affected",
"version": "0b1e5b99a48b",
"lessThan": "30df4bef8b8e",
"versionType": "git"
},
{
"status": "affected",
"version": "0b1e5b99a48b",
"lessThan": "2b23b6097303",
"versionType": "git"
}
],
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c"
],
"defaultStatus": "unaffected"
},
{
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"product": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"status": "unaffected",
"version": "0",
"lessThan": "4.12",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.1.93",
"versionType": "custom",
"lessThanOrEqual": "6.1.*"
},
{
"status": "unaffected",
"version": "6.6.33",
"versionType": "custom",
"lessThanOrEqual": "6.6.*"
},
{
"status": "unaffected",
"version": "6.8.12",
"versionType": "custom",
"lessThanOrEqual": "6.8.*"
},
{
"status": "unaffected",
"version": "6.9.3",
"versionType": "custom",
"lessThanOrEqual": "6.9.*"
},
{
"status": "unaffected",
"version": "6.10",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
],
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_comp.c"
],
"defaultStatus": "affected"
}
]
git.kernel.org/stable/c/21b4c6d4d89030fd4657a8e7c8110fd941049794
git.kernel.org/stable/c/2b23b6097303ed0ba5f4bc036a1c07b6027af5c6
git.kernel.org/stable/c/30df4bef8b8e183333e9b6e9d4509d552c7da6eb
git.kernel.org/stable/c/bbad88f111a1829f366c189aa48e7e58e57553fc
git.kernel.org/stable/c/faa8d0ecf6c9c7c2ace3ca3e552180ada6f75e19