Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup
The function rxe_create_qp calls rxe_qp_from_init. If some error occurs, the error handler of function rxe_qp_from_init will set both scq and rcq to NULL.
Then rxe_create_qp calls rxe_put to handle qp. In the end, rxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly accesses scq and rcq before checking them. This will cause null-ptr-deref error.
The call graph is as below:
rxe_create_qp { … rxe_qp_from_init { … err1: … qp->rcq = NULL; <—rcq is set to NULL qp->scq = NULL; <—scq is set to NULL … }
qp_init: rxe_put{ … rxe_qp_do_cleanup { … atomic_dec(&qp->scq->num_wq); <— scq is accessed … atomic_dec(&qp->rcq->num_wq); <— rcq is accessed } }
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , TuxCare 9.6 ESU
- Affected packages:
- kernel @ 4.18.0 (+4 more)
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup
The function rxe_create_qp calls rxe_qp_from_init. If some error occurs, the error handler of function rxe_qp_from_init will set both scq and rcq to NULL.
Then rxe_create_qp calls rxe_put to handle qp. In the end, rxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly accesses scq and rcq before checking them. This will cause null-ptr-deref error.
The call graph is as below:
rxe_create_qp { … rxe_qp_from_init { … err1: … qp->rcq = NULL; <—rcq is set to NULL qp->scq = NULL; <—scq is set to NULL … }
qp_init: rxe_put{ … rxe_qp_do_cleanup { … atomic_dec(&qp->scq->num_wq); <— scq is accessed … atomic_dec(&qp->rcq->num_wq); <— rcq is accessed } }