{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T18:16:56.360","vulnerabilities":[{"cve":{"id":"CVE-2021-47391","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2024-05-21T15:15:24.480","lastModified":"2025-09-23T20:16:11.397","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests\n\nThe FSM can run in a circle allowing rdma_resolve_ip() to be called twice\non the same id_priv. While this cannot happen without going through the\nwork, it violates the invariant that the same address resolution\nbackground request cannot be active twice.\n\n       CPU 1                                  CPU 2\n\nrdma_resolve_addr():\n  RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY\n  rdma_resolve_ip(addr_handler)  #1\n\n\t\t\t process_one_req(): for #1\n                          addr_handler():\n                            RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND\n                            mutex_unlock(&id_priv->handler_mutex);\n                            [.. handler still running ..]\n\nrdma_resolve_addr():\n  RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY\n  rdma_resolve_ip(addr_handler)\n    !! two requests are now on the req_list\n\nrdma_destroy_id():\n destroy_id_handler_unlock():\n  _destroy_id():\n   cma_cancel_operation():\n    rdma_addr_cancel()\n\n                          // process_one_req() self removes it\n\t\t          spin_lock_bh(&lock);\n                           cancel_delayed_work(&req->work);\n\t                   if (!list_empty(&req->list)) == true\n\n      ! rdma_addr_cancel() returns after process_on_req #1 is done\n\n   kfree(id_priv)\n\n\t\t\t process_one_req(): for #2\n                          addr_handler():\n\t                    mutex_lock(&id_priv->handler_mutex);\n                            !! Use after free on id_priv\n\nrdma_addr_cancel() expects there to be one req on the list and only\ncancels the first one. The self-removal behavior of the work only happens\nafter the handler has returned. This yields a situations where the\nreq_list can have two reqs for the same \"handle\" but rdma_addr_cancel()\nonly cancels the first one.\n\nThe second req remains active beyond rdma_destroy_id() and will\nuse-after-free id_priv once it inevitably triggers.\n\nFix this by remembering if the id_priv has called rdma_resolve_ip() and\nalways cancel before calling it again. This ensures the req_list never\ngets more than one item in it and doesn't cost anything in the normal flow\nthat never uses this strange error path."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/cma: asegúrese de que rdma_addr_cancel() ocurra antes de emitir más solicitudes. El FSM puede ejecutarse en un círculo permitiendo llamar a rdma_resolve_ip() dos veces en el mismo id_priv. Si bien esto no puede suceder sin realizar el trabajo, viola la invariante de que la misma solicitud en segundo plano de resolución de dirección no puede estar activa dos veces. CPU 1 CPU 2 rdma_resolve_addr(): RDMA_CM_IDLE -&gt; RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1 process_one_req(): para #1 addr_handler(): RDMA_CM_ADDR_QUERY -&gt; RDMA_CM_ADDR_BOUND mutex_unlock(&amp;id_priv-&gt;handler_mutex); [.. el controlador sigue ejecutándose...] rdma_resolve_addr(): RDMA_CM_ADDR_BOUND -&gt; RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler)!! ahora hay dos solicitudes en la lista de solicitudes rdma_destroy_id(): destroy_id_handler_unlock(): _destroy_id(): cma_cancel_operation(): rdma_addr_cancel() // Process_one_req() lo elimina automáticamente spin_lock_bh(&amp;lock); cancel_delayed_work(&amp;req-&gt;trabajo); if (!list_empty(&amp;req-&gt;list)) == verdadero! rdma_addr_cancel() regresa después de que se realiza el proceso_on_req #1 kfree(id_priv) Process_one_req(): para #2 addr_handler(): mutex_lock(&amp;id_priv-&gt;handler_mutex); !! El use after free en id_priv rdma_addr_cancel() espera que haya una solicitud en la lista y solo cancela la primera. El comportamiento de autoeliminación del trabajo sólo ocurre después de que el manipulador ha regresado. Esto genera situaciones en las que req_list puede tener dos solicitudes para el mismo \"identificador\" pero rdma_addr_cancel() solo cancela la primera. El segundo requisito permanece activo más allá de rdma_destroy_id() y usará id_priv después de liberarlo una vez que inevitablemente se active. Solucione este problema recordando si id_priv ha llamado a rdma_resolve_ip() y cancele siempre antes de volver a llamarlo. Esto garantiza que req_list nunca obtenga más de un elemento y no cueste nada en el flujo normal que nunca utiliza esta extraña ruta de error."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.18","versionEndExcluding":"5.10.188","matchCriteriaId":"8ACFCEF2-6D39-4FF1-9B0F-DC8A974E6121"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.14.10","matchCriteriaId":"1A437B0D-8305-4C72-B691-D26986A126CF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:*","matchCriteriaId":"E46C74C6-B76B-4C94-A6A4-FD2FFF62D644"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:*","matchCriteriaId":"60134C3A-06E4-48C1-B04F-2903732A4E56"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*","matchCriteriaId":"0460DA88-8FE1-46A2-9DDA-1F1ABA552E71"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/03d884671572af8bcfbc9e63944c1021efce7589","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/305d568b72f17f674155a2a8275f865f207b3808","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9a085fa9b7d644a234465091e038c1911e1a4f2a","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/03d884671572af8bcfbc9e63944c1021efce7589","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/305d568b72f17f674155a2a8275f865f207b3808","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9a085fa9b7d644a234465091e038c1911e1a4f2a","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]}]}}]}