CVE-2021-47026

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rtrs-clt: destroy sysfs after removing session from active list<br /> <br /> A session can be removed dynamically by sysfs interface "remove_path" that<br /> eventually calls rtrs_clt_remove_path_from_sysfs function. The current<br /> rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and<br /> frees sess-&gt;stats object. Second it removes the session from the active<br /> list.<br /> <br /> Therefore some functions could access non-connected session and access the<br /> freed sess-&gt;stats object even-if they check the session status before<br /> accessing the session.<br /> <br /> For instance rtrs_clt_request and get_next_path_min_inflight check the<br /> session status and try to send IO to the session. The session status<br /> could be changed when they are trying to send IO but they could not catch<br /> the change and update the statistics information in sess-&gt;stats object,<br /> and generate use-after-free problem.<br /> (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its<br /> stats")<br /> <br /> This patch changes the rtrs_clt_remove_path_from_sysfs to remove the<br /> session from the active session list and then destroy the sysfs<br /> interfaces.<br /> <br /> Each function still should check the session status because closing or<br /> error recovery paths can change the status.