CVE-2026-45910
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix race condition in QP timer handlers
I encontered the following warning: WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0 … libsha1 [last unloaded: ip6_udp_tunnel] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT Tainted: [C]=CRAP Hardware name: Raspberry Pi 4 Model B Rev 1.2 Call trace: rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P) retransmit_timer+0x130/0x188 [rdma_rxe] call_timer_fn+0x68/0x4d0 __run_timers+0x630/0x888 … WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0 … WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400 … refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400
The issue is caused by a race condition between retransmit_timer() and rxe_destroy_qp, leading to the Queue Pair's (QP) reference count dropping to zero during timer handler execution.
It seems this warning is harmless because rxe_qp_do_cleanup() will flush all pending timers and requests.
Example of flow causing the issue:
CPU0 CPU1 retransmit_timer() { spin_lock_irqsave rxe_destroy_qp() __rxe_cleanup() __rxe_put() // qp->ref_count decrease to 0 rxe_qp_do_cleanup() { if (qp->valid) { rxe_sched_task() { WARN_ON(rxe_read(task->qp) <= 0); } } spin_unlock_irqrestore } spin_lock_irqsave qp->valid = 0 spin_unlock_irqrestore }
Ensure the QP's reference count is maintained and its validity is checked within the timer callbacks by adding calls to rxe_get(qp) and corresponding rxe_put(qp) after use.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d94671632572813e90bcf475bb4c7d51fbf20173 < 756c93d6df7c3bc599f6590b8e5afead6a41de1c | affected |
| Linux | Linux | d94671632572813e90bcf475bb4c7d51fbf20173 < 3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2 | affected |
| Linux | Linux | d94671632572813e90bcf475bb4c7d51fbf20173 < 5ae9da022ee3c97e6469eabcddce9271501ddbad | affected |
| Linux | Linux | d94671632572813e90bcf475bb4c7d51fbf20173 < da379ca16af3722f159860d91a99cb6976a7500f | affected |
| Linux | Linux | d94671632572813e90bcf475bb4c7d51fbf20173 < 87bf646921430e303176edc4eb07c30160361b73 | affected |
| Linux | Linux | 6.4 | affected |
| Linux | Linux | 0 < 6.4 | unaffected |
| Linux | Linux | 6.6.128 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.75 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.14 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.4 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/756c93d6df7c3bc599f6590b8e5afead6a41de1c
- https://git.kernel.org/stable/c/3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2
- https://git.kernel.org/stable/c/5ae9da022ee3c97e6469eabcddce9271501ddbad
- https://git.kernel.org/stable/c/da379ca16af3722f159860d91a99cb6976a7500f
- https://git.kernel.org/stable/c/87bf646921430e303176edc4eb07c30160361b73
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.