CVE-2026-45898
published 2026-05-27CVE-2026-45898: In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing work_list The commit e1168f0…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
RDMA/iwcm: Fix workqueue list corruption by removing work_list
The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()")
changed the work submission logic to unconditionally call
queue_work() with the expectation that queue_work() would
have no effect if work was already pending. The problem is
that a free list of struct iwcm_work is used (for which
struct work_struct is embedded), so each call to queue_work()
is basically unique and therefore does indeed queue the work.
This causes a problem in the work handler which walks the work_list
until it's empty to process entries. This means that a single
run of the work handler could process item N+1 and release it
back to the free list while the actual workqueue entry is still
queued. It could then get reused (INIT_WORK...) and lead to
list corruption in the workqueue logic.
Fix this by just removing the work_list. The workqueue already
does this for us.
This fixes the following error that was observed when stress
testing with ucmatose on an Intel E830 in iWARP mode:
[ 151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08)
[ 151.466639] ------------[ cut here ]------------
[ 151.466986] kernel BUG at lib/list_debug.c:67!
[ 151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary)
[ 151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 151.469192] Workqueue: 0x0 (iw_cm_wq)
[ 151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100
[ 151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90
[ 151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046
[ 151.471712] RAX: 00
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= e1168f09b3314992f1c5251f3793102035da7237 < 38c5b49fffa1b760959af74f11806eeb3ef4706d | 38c5b49fffa1b760959af74f11806eeb3ef4706d |
| linux | linux | >= e1168f09b3314992f1c5251f3793102035da7237 < eb715133e0ae12514bba4d2d5ce1dee774476056 | eb715133e0ae12514bba4d2d5ce1dee774476056 |
| linux | linux | >= e1168f09b3314992f1c5251f3793102035da7237 < a6b9e793e74e372daa266fd0d58b751305877897 | a6b9e793e74e372daa266fd0d58b751305877897 |
| linux | linux | >= e1168f09b3314992f1c5251f3793102035da7237 < 7874eeacfa42177565c01d5198726671acf7adf2 | 7874eeacfa42177565c01d5198726671acf7adf2 |
| linux | linux_kernel | — | — |