CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-38211: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last
deref") simplified cm_id resource management by freeing cm_id once all
references to the cm_id were removed. The references are removed either
upon completion of iw_cm event handlers or when the application destroys
the cm_id. This commit introduced the use-after-free condition where
cm_id_private object could still be in use by event handler works during
the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a
use-after-free related to destroying CM IDs") addressed this use-after-
free by flushing all pending works at the cm_id destruction.

However, still another use-after-free possibility remained. It happens
with the work objects allocated for each cm_id_priv within
alloc_work_entries() during cm_id creation, and subsequently freed in
dealloc_work_entries() once all references to the cm_id are removed.
If the cm_id's last reference is decremented in the event handler work,
the work object for the work itself gets removed, and causes the use-
after-free BUG below:

BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250
Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091

CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIO...

Classification

CVE ID: CVE-2025-38211

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.52% (scored less or equal to compared to others)

EPSS Date: 2025-07-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-38211
https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac
https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1
https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21
https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f
https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a
https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b

Timeline