CVE-2021-47378 Overview
A use-after-free vulnerability exists in the Linux kernel's NVMe-RDMA (Non-Volatile Memory Express over Remote Direct Memory Access) subsystem. The flaw occurs due to improper ordering of resource destruction during RDMA connection establishment error handling. Specifically, the queue pair (QP) is destroyed before the connection manager identifier (cm_id), which can result in CMA (Connection Manager Abstraction) events being received after the QP has already been freed, leading to a use-after-free condition.
Critical Impact
This vulnerability allows network-based attackers to potentially trigger memory corruption through improper resource lifecycle management in the NVMe-RDMA driver, which could lead to system compromise or denial of service.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 5.15-rc1
- Systems utilizing NVMe-RDMA storage connectivity
Discovery Timeline
- 2024-05-21 - CVE CVE-2021-47378 published to NVD
- 2025-04-02 - Last updated in NVD database
Technical Details for CVE-2021-47378
Vulnerability Analysis
This use-after-free vulnerability (CWE-416) resides in the Linux kernel's NVMe-RDMA driver, which handles high-performance storage access over RDMA networks. The core issue stems from an incorrect sequence of resource destruction during connection error handling.
In the RDMA connection establishment process, two key resources are involved: the connection manager identifier (cm_id) and the queue pair (qp). The cm_id manages connection events, while the qp handles the actual data transfer operations. When a connection error occurs, the original code path would destroy the qp in the connection manager event handler before the cm_id was destroyed.
This ordering creates a race condition window where CMA events can still be delivered to the destroyed qp, causing the kernel to access freed memory. An attacker with network access could potentially manipulate RDMA connection timing to trigger this condition, leading to memory corruption that could be exploited for code execution or system destabilization.
Root Cause
The root cause is improper resource lifecycle management in the nvme_rdma_alloc_queue() function's error handling path. The code destroys the queue pair (qp) within the connection manager event handler during error scenarios, but the cm_id continues to exist and can still receive events that reference the already-freed qp. The correct behavior requires destroying the cm_id first to ensure no further events are delivered, then destroying the qp.
Attack Vector
The vulnerability is exploitable over the network, requiring no authentication or user interaction. An attacker targeting systems with NVMe-RDMA enabled could:
- Initiate RDMA connection requests to the target system
- Manipulate connection establishment timing to induce error conditions
- Trigger the race condition between cm_id event delivery and qp destruction
- Exploit the use-after-free to corrupt kernel memory structures
The fix ensures that error reporting is passed to the upper layer, and the qp destruction is deferred until after the cm_id is properly destroyed in nvme_rdma_alloc_queue().
Detection Methods for CVE-2021-47378
Indicators of Compromise
- Unexpected kernel panics or oops messages referencing NVMe-RDMA or RDMA CM functions
- Kernel log entries showing memory corruption in nvme_rdma module components
- System instability on servers utilizing NVMe-over-Fabrics with RDMA transport
- Unusual RDMA connection establishment failures or resets
Detection Strategies
- Monitor kernel logs for use-after-free warnings related to nvme_rdma or rdma_cm subsystems
- Deploy kernel address sanitizer (KASAN) in development environments to detect memory access violations
- Implement network monitoring for anomalous RDMA connection patterns targeting NVMe-RDMA ports
- Review system crash dumps for call traces involving nvme_rdma_alloc_queue or CM event handlers
Monitoring Recommendations
- Enable enhanced kernel logging for RDMA and NVMe subsystems
- Configure alerting on kernel oops or panic events on systems with NVMe-RDMA enabled
- Monitor RDMA connection metrics for unusual error rates or connection establishment failures
- Implement file integrity monitoring on kernel modules related to NVMe-RDMA
How to Mitigate CVE-2021-47378
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix commits
- Consider disabling NVMe-RDMA functionality on critical systems until patches can be applied
- Restrict network access to RDMA-capable interfaces to trusted hosts only
- Implement network segmentation to isolate RDMA traffic from untrusted networks
Patch Information
The Linux kernel maintainers have released patches that address this vulnerability by reordering resource destruction. The fix ensures that cm_id is destroyed before qp to prevent receiving CMA events after the queue pair has been freed. The patches are available in the stable kernel trees:
Workarounds
- Disable NVMe-RDMA transport by unloading the nvme_rdma kernel module if not required for operations
- Implement firewall rules to block RDMA traffic from untrusted networks
- Use alternative NVMe-oF transports such as TCP where RDMA is not essential
- Apply network ACLs to restrict RDMA connection establishment to authorized systems only
# Temporarily disable nvme-rdma module
modprobe -r nvme_rdma
# Blacklist the module to prevent automatic loading
echo "blacklist nvme_rdma" >> /etc/modprobe.d/blacklist-nvme-rdma.conf
# Verify module is not loaded
lsmod | grep nvme_rdma
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
