CVE-2020-36385: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the Linux kernel before version 5.10, specifically in drivers/infiniband/core/ucma.c. The vulnerability (CVE-2020-36385) occurs because the ctx is reached via the ctxlist in certain ucmamigrateid situations where ucmaclose is called (NVD, MITRE). The issue was discovered and reported in September 2020.

The vulnerability stems from a race condition in the RDMA userspace connection manager implementation. The issue occurs when ucmadestroyid() assumes that all things accessing the ctx will do so via the xarray. This assumption is violated when the file descriptor is being closed, as the ctx is then reached via the ctxlist. While this is normally acceptable since ucmadestroyid() cannot run concurrently with release(), the situation becomes problematic when ucmamigrate_id() is involved, as the close of the second file descriptor can run concurrently with destroy on the first (Kernel Commit). The vulnerability has a CVSS v3.1 score of 7.8 (HIGH) (NetApp Advisory)

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability allows an attacker to potentially execute arbitrary code through a use-after-free condition (NetApp Advisory)

The vulnerability was fixed in Linux kernel version 5.10 through a patch that reworked ucmamigrateid() to avoid races with destroy operations. The fix involves modifying ctx->file under both the handler and xalock, and verifying that the ID is still reachable from curfile before modification (Kernel Commit). Users are advised to upgrade to kernel version 5.10 or later to address this vulnerability.