CVE-2022-50775

Vulnerability

Description

In the Linux kernel's RDMA subsystem for Hisilicon network adapters (hns_roce), the function hns_roce_mmap calls rdma_user_mmap_entry_get_pgoff() which increments the reference count of an mmap entry. However, the driver fails to call the corresponding rdma_user_mmap_entry_put() to release that reference when the mapping is no longer needed. This creates a reference count leak [1].

Exploitation

An attacker with no special privileges beyond the ability to trigger the affected code path. The vulnerability is present in the memory mapping operations of the RDMA/hns driver, which can be invoked by userspace RDMA applications. No authentication is required beyond normal user access to RDMA devices.

Impact

An attacker who repeatedly triggers the vulnerable code path can cause the reference count of mmap entries to increase indefinitely. This prevents the kernel from freeing those entries, leading to a memory leak. Over time, this can exhaust system memory, resulting in denial of service (DoS) conditions.

Mitigation

The fix was applied in the Linux kernel stable tree with commit fa87cf2e7568 [1]. Users should update their kernel to include this patch or any subsequent version that contains it. No workaround is available other than applying the patch.