{ "threat_severity" : "Moderate", "public_date" : "2025-07-04T00:00:00Z", "bugzilla" : { "description" : "kernel: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction", "id" : "2376406", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2376406" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id's last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\nBUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\nRead of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\nCPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\nWorkqueue: 0x0 (iw_cm_wq)\nCall Trace:\n\ndump_stack_lvl+0x6a/0x90\nprint_report+0x174/0x554\n? __virt_addr_valid+0x208/0x430\n? __pwq_activate_work+0x1ff/0x250\nkasan_report+0xae/0x170\n? __pwq_activate_work+0x1ff/0x250\n__pwq_activate_work+0x1ff/0x250\npwq_dec_nr_in_flight+0x8c5/0xfb0\nprocess_one_work+0xc11/0x1460\n? __pfx_process_one_work+0x10/0x10\n? assign_work+0x16c/0x240\nworker_thread+0x5ef/0xfd0\n? __pfx_worker_thread+0x10/0x10\nkthread+0x3b0/0x770\n? __pfx_kthread+0x10/0x10\n? rcu_is_watching+0x11/0xb0\n? _raw_spin_unlock_irq+0x24/0x50\n? rcu_is_watching+0x11/0xb0\n? __pfx_kthread+0x10/0x10\nret_from_fork+0x30/0x70\n? __pfx_kthread+0x10/0x10\nret_from_fork_asm+0x1a/0x30\n\nAllocated by task 147416:\nkasan_save_stack+0x2c/0x50\nkasan_save_track+0x10/0x30\n__kasan_kmalloc+0xa6/0xb0\nalloc_work_entries+0xa9/0x260 [iw_cm]\niw_cm_connect+0x23/0x4a0 [iw_cm]\nrdma_connect_locked+0xbfd/0x1920 [rdma_cm]\nnvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\ncma_cm_event_handler+0xae/0x320 [rdma_cm]\ncma_work_handler+0x106/0x1b0 [rdma_cm]\nprocess_one_work+0x84f/0x1460\nworker_thread+0x5ef/0xfd0\nkthread+0x3b0/0x770\nret_from_fork+0x30/0x70\nret_from_fork_asm+0x1a/0x30\nFreed by task 147091:\nkasan_save_stack+0x2c/0x50\nkasan_save_track+0x10/0x30\nkasan_save_free_info+0x37/0x60\n__kasan_slab_free+0x4b/0x70\nkfree+0x13a/0x4b0\ndealloc_work_entries+0x125/0x1f0 [iw_cm]\niwcm_deref_id+0x6f/0xa0 [iw_cm]\ncm_work_handler+0x136/0x1ba0 [iw_cm]\nprocess_one_work+0x84f/0x1460\nworker_thread+0x5ef/0xfd0\nkthread+0x3b0/0x770\nret_from_fork+0x30/0x70\nret_from_fork_asm+0x1a/0x30\nLast potentially related work creation:\nkasan_save_stack+0x2c/0x50\nkasan_record_aux_stack+0xa3/0xb0\n__queue_work+0x2ff/0x1390\nqueue_work_on+0x67/0xc0\ncm_event_handler+0x46a/0x820 [iw_cm]\nsiw_cm_upcall+0x330/0x650 [siw]\nsiw_cm_work_handler+0x6b9/0x2b20 [siw]\nprocess_one_work+0x84f/0x1460\nworker_thread+0x5ef/0xfd0\nkthread+0x3b0/0x770\nret_from_fork+0x30/0x70\nret_from_fork_asm+0x1a/0x30\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---" ], "statement" : "A use-after-free occurs when a cm_id's last reference is released from within a work item that still depends on it, resulting in a crash in __pwq_activate_work(). This race condition was reproducible via RDMA/siw transport using repeated execution of blktests nvme/061, demonstrating that deallocation of work entries must not occur from within the active work context. The CVSS Privileges Required (PR:L) rating reflects that RDMA stack access is needed, but not full root privileges, to trigger this memory corruption issue. The vulnerability does not lead to information leakage or data corruption, but results in a use-after-free crash within the kernel's RDMA workqueue processing. Therefore, for the CVSS only availability is impacted and Integrity/Confidentiality are Low (potentially impacted). As the bug causes a kernel panic or crash when triggered, the impact is rated as High on Availability.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15005", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "kernel-0:6.12.0-55.30.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15009", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.72.1.rt7.413.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15008", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.72.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-11-18T00:00:00Z", "advisory" : "RHSA-2025:21667", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.173.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-12-04T00:00:00Z", "advisory" : "RHSA-2025:22752", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.179.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-12-04T00:00:00Z", "advisory" : "RHSA-2025:22752", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.179.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-10-15T00:00:00Z", "advisory" : "RHSA-2025:18043", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.164.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-10-15T00:00:00Z", "advisory" : "RHSA-2025:18043", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.164.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-10-15T00:00:00Z", "advisory" : "RHSA-2025:18043", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.164.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-10-08T00:00:00Z", "advisory" : "RHSA-2025:17570", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.114.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-10-08T00:00:00Z", "advisory" : "RHSA-2025:17570", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.114.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15011", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.39.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15011", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.39.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-10-01T00:00:00Z", "advisory" : "RHSA-2025:17159", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.148.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-10-01T00:00:00Z", "advisory" : "RHSA-2025:17192", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.148.1.rt21.220.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-09-11T00:00:00Z", "advisory" : "RHSA-2025:15669", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.137.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-09-10T00:00:00Z", "advisory" : "RHSA-2025:15657", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.137.1.rt14.422.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-09-25T00:00:00Z", "advisory" : "RHSA-2025:16669", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.91.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38211\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38211\nhttps://lore.kernel.org/linux-cve-announce/2025070422-CVE-2025-38211-215a@gregkh/T" ], "name" : "CVE-2025-38211", "mitigation" : { "value" : "To mitigate this issue, prevent InfiniBand modules from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically. The names of the modules are: ib_addr, ib_cm, ib_core, ib_mad, ib_sa, ib_ucm, ib_umad, iw_cm.", "lang" : "en:us" }, "csaw" : false }