CVE-2025-40061

Linux Kernel 6.5-6.6.111, 6.7-6.12.52, 6.13-6.17.2 - Use-After-Free in RDMA/rxe do_task()

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race in do_task() when draining When do_task() exhausts its iteration budget (!ret), it sets the state to TASK_STATE_IDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASK_STATE_DRAINING state set by a concurrent call to rxe_cleanup_task() or rxe_disable_task(). While state changes are protected by a spinlock, both rxe_cleanup_task() and rxe_disable_task() release the lock while waiting for the task to finish draining in the while(!is_done(task)) loop. The race occurs if do_task() hits its iteration limit and acquires the lock in this window. The cleanup logic may then proceed while the task incorrectly reschedules itself, leading to a potential use-after-free. This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost. Fix this by restoring the original pre-migration behavior. If the state is TASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to force a new loop iteration. This allows the task to finish its work, so that a subsequent iteration can reach the switch statement and correctly transition the state to TASK_STATE_DRAINED, stopping the task as intended.

Scores

EPSS 0.0018
EPSS Percentile 8.1%

Details

Status published
Products (13)
linux/Kernel 6.13.0 - 6.17.3linux
linux/Kernel 6.5.0 - 6.6.112linux
linux/Kernel 6.7.0 - 6.12.53linux
Linux/Linux < 6.5
Linux/Linux 6.12.53 - 6.12.*
Linux/Linux 6.17.3 - 6.17.*
Linux/Linux 6.18
Linux/Linux 6.5
Linux/Linux 6.6.112 - 6.6.*
Linux/Linux 9b4b7c1f9f54120940e243251e2b1407767b3381 - 52edccfb555142678c836c285bf5b4ec760bd043
... and 3 more
Published Oct 28, 2025
Tracked Since Feb 18, 2026