CVE-2025-38211
published 2025-07-04CVE-2025-38211: In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last
deref") simplified cm_id resource management by freeing cm_id once all
references to the cm_id were removed. The references are removed either
upon completion of iw_cm event handlers or when the application destroys
the cm_id. This commit introduced the use-after-free condition where
cm_id_private object could still be in use by event handler works during
the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a
use-after-free related to destroying CM IDs") addressed this use-after-
free by flushing all pending works at the cm_id destruction.
However, still another use-after-free possibility remained. It happens
with the work objects allocated for each cm_id_priv within
alloc_work_entries() during cm_id creation, and subsequently freed in
dealloc_work_entries() once all references to the cm_id are removed.
If the cm_id's last reference is decremented in the event handler work,
the work object for the work itself gets removed, and causes the use-
after-free BUG below:
BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250
Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091
CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
Workqueue: 0x0 (iw_cm_wq)
Call Trace:
dump_stack_lvl+0x6a/0x90
print_report+0x174/0x554
? __virt_addr_valid+0x208/0x430
? __pwq_activate_work+0x1ff/0x250
kasan_report+0xae/0x170
? __pwq_activate_work+0x1ff/0x250
__pwq_activate_work+0x1ff/0x250
pwq_dec_nr_in_flight+0x8c5/0xfb0
process_one_work+0xc11/0x1460
? __pfx_process_one_work+0x10/0x10
? assign_work+0x16c/0x240
worker_thread+0x5ef/0xfd0
? __pfx_worker_thread+0x10/0x10
kthread+0x3b0/0x770
? __pfx_kthread+0x10/0x10
? rcu_is_wa
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 < 013dcdf6f03bcedbaf1669e3db71c34a197715b2 | 013dcdf6f03bcedbaf1669e3db71c34a197715b2 |
| linux | linux | >= 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 < bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5 | bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5 |
| linux | linux | >= 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 < 3b4a50d733acad6831f6bd9288a76a80f70650ac | 3b4a50d733acad6831f6bd9288a76a80f70650ac |
| linux | linux | >= 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 < 78381dc8a6b61c9bb9987d37b4d671b99767c4a1 | 78381dc8a6b61c9bb9987d37b4d671b99767c4a1 |
| linux | linux | >= 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 < 23a707bbcbea468eedb398832eeb7e8e0ceafd21 | 23a707bbcbea468eedb398832eeb7e8e0ceafd21 |
| linux | linux | >= 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 < 764c9f69beabef8bdc651a7746c59f7a340d104f | 764c9f69beabef8bdc651a7746c59f7a340d104f |
| linux | linux | >= 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 < fd960b5ddf4faf00da43babdd3acda68842e1f6a | fd960b5ddf4faf00da43babdd3acda68842e1f6a |
| linux | linux | >= 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 < 6883b680e703c6b2efddb4e7a8d891ce1803d06b | 6883b680e703c6b2efddb4e7a8d891ce1803d06b |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.35-1 | 6.12.35-1 |
| linux | linux_kernel | >= 0 < 6.12.35-1 | 6.12.35-1 |
| linux | linux_kernel | >= 0 < 5.15.0-156.166 | 5.15.0-156.166 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 4.8 < 5.4.296 | 5.4.296 |
| linux | linux_kernel | >= 5.11 < 5.15.186 | 5.15.186 |
| linux | linux_kernel | >= 5.16 < 6.1.142 | 6.1.142 |
| linux | linux_kernel | >= 5.5 < 5.10.240 | 5.10.240 |
| linux | linux_kernel | >= 6.13 < 6.15.4 | 6.15.4 |
| linux | linux_kernel | >= 6.2 < 6.6.95 | 6.6.95 |
| linux | linux_kernel | >= 6.7 < 6.12.35 | 6.12.35 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH