CVE-2025-40061

Summary

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix race in do_task() when draining

When do_task() exhausts its iteration budget (!ret), it sets the state to TASK_STATE_IDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASK_STATE_DRAINING state set by a concurrent call to rxe_cleanup_task() or rxe_disable_task().

While state changes are protected by a spinlock, both rxe_cleanup_task() and rxe_disable_task() release the lock while waiting for the task to finish draining in the while(!is_done(task)) loop. The race occurs if do_task() hits its iteration limit and acquires the lock in this window. The cleanup logic may then proceed while the task incorrectly reschedules itself, leading to a potential use-after-free.

This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost.

Fix this by restoring the original pre-migration behavior. If the state is TASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to force a new loop iteration. This allows the task to finish its work, so that a subsequent iteration can reach the switch statement and correctly transition the state to TASK_STATE_DRAINED, stopping the task as intended.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9b4b7c1f9f54120940e243251e2b1407767b3381 < 85288bcf7ffe11e7b036edf91937bc62fd384076affected
LinuxLinux9b4b7c1f9f54120940e243251e2b1407767b3381 < 52edccfb555142678c836c285bf5b4ec760bd043affected
LinuxLinux9b4b7c1f9f54120940e243251e2b1407767b3381 < 660b6959c4170637f5db2279d1f71af33a49e49baffected
LinuxLinux9b4b7c1f9f54120940e243251e2b1407767b3381 < 8ca7eada62fcfabf6ec1dc7468941e791c1d8729affected
LinuxLinux6.5affected
LinuxLinux0 < 6.5unaffected
LinuxLinux6.6.112 <= 6.6.*unaffected
LinuxLinux6.12.53 <= 6.12.*unaffected
LinuxLinux6.17.3 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References