Acknowledged
Created: Jul 7, 2025
Updated: Jul 8, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction[EOL][EOL]The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last[EOL]deref") simplified cm_id resource management by freeing cm_id once all[EOL]references to the cm_id were removed. The references are removed either[EOL]upon completion of iw_cm event handlers or when the application destroys[EOL]the cm_id. This commit introduced the use-after-free condition where[EOL]cm_id_private object could still be in use by event handler works during[EOL]the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a[EOL]use-after-free related to destroying CM IDs") addressed this use-after-[EOL]free by flushing all pending works at the cm_id destruction.[EOL][EOL]However, still another use-after-free possibility remained. It happens[EOL]with the work objects allocated for each cm_id_priv within[EOL]alloc_work_entries() during cm_id creation, and subsequently freed in[EOL]dealloc_work_entries() once all references to the cm_id are removed.[EOL]If the cm_id's last reference is decremented in the event handler work,[EOL]the work object for the work itself gets removed, and causes the use-[EOL]after-free BUG below:[EOL][EOL] BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250[EOL] Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091[EOL][EOL] CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)[EOL] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014[EOL] Workqueue: 0x0 (iw_cm_wq)[EOL] Call Trace:[EOL] <TASK>[EOL] dump_stack_lvl+0x6a/0x90[EOL] print_report+0x174/0x554[EOL] ? __virt_addr_valid+0x208/0x430[EOL] ? __pwq_activate_work+0x1ff/0x250[EOL] kasan_report+0xae/0x170[EOL] ? __pwq_activate_work+0x1ff/0x250[EOL] __pwq_activate_work+0x1ff/0x250[EOL] pwq_dec_nr_in_flight+0x8c5/0xfb0[EOL] process_one_work+0xc11/0x1460[EOL] ? __pfx_process_one_work+0x10/0x10[EOL] ? assign_work+0x16c/0x240[EOL] worker_thread+0x5ef/0xfd0[EOL] ? __pfx_worker_thread+0x10/0x10[EOL] kthread+0x3b0/0x770[EOL] ? __pfx_kthread+0x10/0x10[EOL] ? rcu_is_watching+0x11/0xb0[EOL] ? _raw_spin_unlock_irq+0x24/0x50[EOL] ? rcu_is_watching+0x11/0xb0[EOL] ? __pfx_kthread+0x10/0x10[EOL] ret_from_fork+0x30/0x70[EOL] ? __pfx_kthread+0x10/0x10[EOL] ret_from_fork_asm+0x1a/0x30[EOL] </TASK>[EOL][EOL] Allocated by task 147416:[EOL] kasan_save_stack+0x2c/0x50[EOL] kasan_save_track+0x10/0x30[EOL] __kasan_kmalloc+0xa6/0xb0[EOL] alloc_work_entries+0xa9/0x260 [iw_cm][EOL] iw_cm_connect+0x23/0x4a0 [iw_cm][EOL] rdma_connect_locked+0xbfd/0x1920 [rdma_cm][EOL] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma][EOL] cma_cm_event_handler+0xae/0x320 [rdma_cm][EOL] cma_work_handler+0x106/0x1b0 [rdma_cm][EOL] process_one_work+0x84f/0x1460[EOL] worker_thread+0x5ef/0xfd0[EOL] kthread+0x3b0/0x770[EOL] ret_from_fork+0x30/0x70[EOL] ret_from_fork_asm+0x1a/0x30[EOL][EOL] Freed by task 147091:[EOL] kasan_save_stack+0x2c/0x50[EOL] kasan_save_track+0x10/0x30[EOL] kasan_save_free_info+0x37/0x60[EOL] __kasan_slab_free+0x4b/0x70[EOL] kfree+0x13a/0x4b0[EOL] dealloc_work_entries+0x125/0x1f0 [iw_cm][EOL] iwcm_deref_id+0x6f/0xa0 [iw_cm][EOL] cm_work_handler+0x136/0x1ba0 [iw_cm][EOL] process_one_work+0x84f/0x1460[EOL] worker_thread+0x5ef/0xfd0[EOL] kthread+0x3b0/0x770[EOL] ret_from_fork+0x30/0x70[EOL] ret_from_fork_asm+0x1a/0x30[EOL][EOL] Last potentially related work creation:[EOL] kasan_save_stack+0x2c/0x50[EOL] kasan_record_aux_stack+0xa3/0xb0[EOL] __queue_work+0x2ff/0x1390[EOL] queue_work_on+0x67/0xc0[EOL] cm_event_handler+0x46a/0x820 [iw_cm][EOL] siw_cm_upcall+0x330/0x650 [siw][EOL] siw_cm_work_handler+0x6b9/0x2b20 [siw][EOL] process_one_work+0x84f/0x1460[EOL] worker_thread+0x5ef/0xfd0[EOL] kthread+0x3b0/0x770[EOL] ret_from_fork+0x30/0x70[EOL] ret_from_fork_asm+0x1a/0x30[EOL][EOL]This BUG is reproducible by repeating the blktests test case nvme/061[EOL]for the rdma transport and the siw driver.[EOL][EOL]To avoid the use-after-free of cm_id_private work objects, ensure that[EOL]the last reference to the cm_id is decremented not in the event handler[EOL]works, but in the cm_id destruction context. For that purpose, mo[EOL]---truncated---
CREATE(Triage):(User=admin) [CVE-2025-38211 (https://nvd.nist.gov/vuln/detail/CVE-2025-38211)
