CVE-2021-47026 in Linux
Summary
by MITRE • 02/28/2024
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rtrs-clt: destroy sysfs after removing session from active list
A session can be removed dynamically by sysfs interface "remove_path" that eventually calls rtrs_clt_remove_path_from_sysfs function. The current rtrs_clt_remove_path_from_sysfs first removes the sysfs interfaces and frees sess->stats object. Second it removes the session from the active list.
Therefore some functions could access non-connected session and access the freed sess->stats object even-if they check the session status before accessing the session.
For instance rtrs_clt_request and get_next_path_min_inflight check the session status and try to send IO to the session. The session status could be changed when they are trying to send IO but they could not catch the change and update the statistics information in sess->stats object, and generate use-after-free problem. (see: "RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats")
This patch changes the rtrs_clt_remove_path_from_sysfs to remove the session from the active session list and then destroy the sysfs interfaces.
Each function still should check the session status because closing or error recovery paths can change the status.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/19/2025
The vulnerability described in CVE-2021-47026 resides within the Linux kernel's RDMA/rtrs-clt subsystem, specifically affecting the remote trusted storage subsystem that enables remote direct memory access operations. This issue represents a classic use-after-free vulnerability that occurs during the dynamic removal of RDMA sessions through the sysfs interface. The problem manifests when the rtrs_clt_remove_path_from_sysfs function executes in an incorrect order, first destroying sysfs interfaces and freeing the session statistics object before removing the session from the active list. This sequence creates a race condition where functions attempting to access session information can reference freed memory, leading to potential system instability or exploitation.
The technical flaw stems from improper synchronization and ordering within the session removal process. When a session is removed via the sysfs "remove_path" interface, the current implementation executes a flawed sequence of operations that violates fundamental memory management principles. Functions such as rtrs_clt_request and get_next_path_min_inflight perform session status checks before attempting IO operations, but these checks occur before the actual session removal from the active list. This creates a window where a session can appear valid to these functions while simultaneously being in the process of destruction, causing access to freed memory structures and subsequent use-after-free conditions.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling privilege escalation or system crashes within the RDMA subsystem. Attackers could exploit this race condition to manipulate session state information, potentially leading to denial of service conditions or unauthorized access to remote storage resources. The vulnerability affects systems utilizing RDMA storage protocols where dynamic session management is employed, particularly in enterprise environments relying on high-performance storage networks. According to CWE classification, this represents a CWE-416 use-after-free vulnerability, while the ATT&CK framework would categorize this under privilege escalation and system compromise techniques through kernel-level vulnerabilities.
The patch implemented addresses this issue by reversing the order of operations within rtrs_clt_remove_path_from_sysfs, ensuring that sessions are removed from the active list before sysfs interfaces are destroyed. This change prevents the race condition where functions could access freed session statistics while the session is still considered valid by other subsystem components. While the patch corrects the immediate ordering issue, it maintains the requirement for functions to continue checking session status as part of their normal operation, since session state changes can occur through multiple pathways including error recovery and normal closing procedures. This approach aligns with proper kernel memory management practices and prevents the exploitation of similar race conditions in related subsystems.