HIGH
rdma DmaBuf Double-Free
CVE-2026-43128
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again. Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt).
02KernelScan AI Analysis
Risk summary
Local users with access to RDMA devices can trigger a double-unpin condition in the kernel's DMA buffer management, leading to kernel memory corruption and potential crashes. This affects systems with InfiniBand or other RDMA hardware where applications use dmabuf memory regions.
Vulnerability analysis
The vulnerability occurs in the RDMA umem dmabuf implementation where a failure in ib_umem_dmabuf_map_pages() causes an immediate dma_buf_unpin() call while leaving the umem_dmabuf->pinned flag set. When ib_umem_release() is later called during cleanup, it invokes ib_umem_dmabuf_revoke() which calls dma_buf_unpin() again on the same buffer, creating a double-release condition. The fix removes the immediate unpin on failure, allowing the standard release path to handle cleanup properly and maintaining correct unmap-unpin ordering.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.165 | 70542b69abff |
| 6.12 | 6.12.75 | ba3bf0f1bf1d |
| 6.18 | 6.18.16 | d3e32e2f3262 |
| 6.19 | 6.19.6 | 40126bcbefa7 |
| 6.6 | 6.6.128 | b324327ff6f4 |
| mainline | 7.0 | 104016eb671e |