From bippy-851b3ed3d212 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman To: Reply-to: , Subject: CVE-2021-47026: RDMA/rtrs-clt: destroy sysfs after removing session from active list Description =========== In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: destroy sysfs after removing session from active list A session can be removed dynamically by sysfs interface "remove_path" that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list. Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session. For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats") This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces. Each function still should check the session status because closing or error recovery paths can change the status. The Linux kernel CVE team has assigned CVE-2021-47026 to this issue. Affected and fixed versions =========================== Issue introduced in 5.8 with commit 6a98d71daea1 and fixed in 5.10.37 with commit b64415c6b347 Issue introduced in 5.8 with commit 6a98d71daea1 and fixed in 5.11.21 with commit 676171f9405d Issue introduced in 5.8 with commit 6a98d71daea1 and fixed in 5.12.4 with commit d3cca8067d43 Issue introduced in 5.8 with commit 6a98d71daea1 and fixed in 5.13 with commit 7f4a8592ff29 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2021-47026 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/infiniband/ulp/rtrs/rtrs-clt.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b64415c6b3476cf9fa4d0aea3807065b8403a937 https://git.kernel.org/stable/c/676171f9405dcaa45a33d18241c32f387dbaae39 https://git.kernel.org/stable/c/d3cca8067d43dfee4a3535c645b55f618708dccb https://git.kernel.org/stable/c/7f4a8592ff29f19c5a2ca549d0973821319afaad