Detections
Analytics

Unity Linux 20.1070e Security Update: kernel (UTSA-2025-987546)

high Nessus Plugin ID 270965

Synopsis

The Unity Linux host is missing one or more security updates.

Description

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-987546 advisory.

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests

 The FSM can run in a circle allowing rdma_resolve_ip() to be called twice on the same id_priv. While this cannot happen without going through the work, it violates the invariant that the same address resolution background request cannot be active twice.

 CPU 1 CPU 2

 rdma_resolve_addr():
 RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) #1

 process_one_req(): for #1 addr_handler():
 RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND mutex_unlock(&id_priv->handler_mutex);
 [.. handler still running ..]

 rdma_resolve_addr():
 RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY rdma_resolve_ip(addr_handler) !! two requests are now on the req_list

 rdma_destroy_id():
 destroy_id_handler_unlock():
 _destroy_id():
 cma_cancel_operation():
 rdma_addr_cancel()

 // process_one_req() self removes it spin_lock_bh(&lock);
 cancel_delayed_work(&req->work);
 if (!list_empty(&req->list)) == true

 ! rdma_addr_cancel() returns after process_on_req #1 is done

 kfree(id_priv)

 process_one_req(): for #2 addr_handler():
 mutex_lock(&id_priv->handler_mutex);
 !! Use after free on id_priv

 rdma_addr_cancel() expects there to be one req on the list and only cancels the first one. The self-removal behavior of the work only happens after the handler has returned. This yields a situations where the req_list can have two reqs for the same handle but rdma_addr_cancel() only cancels the first one.

 The second req remains active beyond rdma_destroy_id() and will use-after-free id_priv once it inevitably triggers.

 Fix this by remembering if the id_priv has called rdma_resolve_ip() and always cancel before calling it again. This ensures the req_list never gets more than one item in it and doesn't cost anything in the normal flow that never uses this strange error path.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kernel package.

See Also

http://www.nessus.org/u?ee075998

http://www.nessus.org/u?0dce6b50

https://nvd.nist.gov/vuln/detail/CVE-2021-47391

Plugin Details

Severity: High

ID: 270965

File Name: unity_linux_UTSA-2025-987546.nasl

Version: 1.1

Type: local

Published: 10/21/2025

Updated: 10/21/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2021-47391

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/UOS-Server/release, Host/UOS-Server/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/15/2025

Vulnerability Publication Date: 9/4/2021

Reference Information

CVE: CVE-2021-47391