In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix implicit ODP use after free
Prevent double queueing of implicit ODP mr destroy work by using _xacmpxchg() to make sure this is the only time we are destroying this specific mr.
Without this change, we could try to invalidate this mr twice, which in turn could result in queuing a MR work destroy twice, and eventually the second work could execute after the MR was freed due to the first work, causing a user after free and trace below.
refcountt: underflow; use-after-free. WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcountwarnsaturate+0x12b/0x130 Modules linked in: bonding ibipoib vfiopci ipgre geneve nftables ip6gre gre ip6tunnel tunnel6 ipip tunnel4 ibumad rdmaucm mlx5vfiopci vfiopcicore vfioiommutype1 mlx5ib vfio ibuverbs mlx5core iptableraw openvswitch nsh rpcrdma ibiser libiscsi scsitransportiscsi rdmacm iwcm ibcm ibcore xtconntrack xtMASQUERADE nfconntracknetlink nfnetlink xtaddrtype iptablenat nfnat brnetfilter rpcsecgsskrb5 authrpcgss oidregistry overlay zram zsmalloc fuse [last unloaded: ibuverbs] CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1netnextmlx558c644e #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: eventsunbound freeimplicitchildmrwork [mlx5ib] RIP: 0010:refcountwarnsaturate+0x12b/0x130 Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0 RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019 R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00 R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0 FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcountwarnsaturate+0x12b/0x130 freeimplicitchildmrwork+0x180/0x1b0 [mlx5ib] processonework+0x1cc/0x3c0 workerthread+0x218/0x3c0 kthread+0xc6/0xf0 retfrom_fork+0x1f/0x30 </TASK>