{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38211","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.994Z","datePublished":"2025-07-04T13:37:30.307Z","dateUpdated":"2026-05-11T21:23:24.277Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:23:24.277Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id's last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n  BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n  Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n  CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n  Workqueue:  0x0 (iw_cm_wq)\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0x6a/0x90\n   print_report+0x174/0x554\n   ? __virt_addr_valid+0x208/0x430\n   ? __pwq_activate_work+0x1ff/0x250\n   kasan_report+0xae/0x170\n   ? __pwq_activate_work+0x1ff/0x250\n   __pwq_activate_work+0x1ff/0x250\n   pwq_dec_nr_in_flight+0x8c5/0xfb0\n   process_one_work+0xc11/0x1460\n   ? __pfx_process_one_work+0x10/0x10\n   ? assign_work+0x16c/0x240\n   worker_thread+0x5ef/0xfd0\n   ? __pfx_worker_thread+0x10/0x10\n   kthread+0x3b0/0x770\n   ? __pfx_kthread+0x10/0x10\n   ? rcu_is_watching+0x11/0xb0\n   ? _raw_spin_unlock_irq+0x24/0x50\n   ? rcu_is_watching+0x11/0xb0\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x30/0x70\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork_asm+0x1a/0x30\n   </TASK>\n\n  Allocated by task 147416:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   __kasan_kmalloc+0xa6/0xb0\n   alloc_work_entries+0xa9/0x260 [iw_cm]\n   iw_cm_connect+0x23/0x4a0 [iw_cm]\n   rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n   nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n   cma_cm_event_handler+0xae/0x320 [rdma_cm]\n   cma_work_handler+0x106/0x1b0 [rdma_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Freed by task 147091:\n   kasan_save_stack+0x2c/0x50\n   kasan_save_track+0x10/0x30\n   kasan_save_free_info+0x37/0x60\n   __kasan_slab_free+0x4b/0x70\n   kfree+0x13a/0x4b0\n   dealloc_work_entries+0x125/0x1f0 [iw_cm]\n   iwcm_deref_id+0x6f/0xa0 [iw_cm]\n   cm_work_handler+0x136/0x1ba0 [iw_cm]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\n  Last potentially related work creation:\n   kasan_save_stack+0x2c/0x50\n   kasan_record_aux_stack+0xa3/0xb0\n   __queue_work+0x2ff/0x1390\n   queue_work_on+0x67/0xc0\n   cm_event_handler+0x46a/0x820 [iw_cm]\n   siw_cm_upcall+0x330/0x650 [siw]\n   siw_cm_work_handler+0x6b9/0x2b20 [siw]\n   process_one_work+0x84f/0x1460\n   worker_thread+0x5ef/0xfd0\n   kthread+0x3b0/0x770\n   ret_from_fork+0x30/0x70\n   ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/core/iwcm.c"],"versions":[{"version":"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4","lessThan":"013dcdf6f03bcedbaf1669e3db71c34a197715b2","status":"affected","versionType":"git"},{"version":"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4","lessThan":"bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5","status":"affected","versionType":"git"},{"version":"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4","lessThan":"3b4a50d733acad6831f6bd9288a76a80f70650ac","status":"affected","versionType":"git"},{"version":"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4","lessThan":"78381dc8a6b61c9bb9987d37b4d671b99767c4a1","status":"affected","versionType":"git"},{"version":"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4","lessThan":"23a707bbcbea468eedb398832eeb7e8e0ceafd21","status":"affected","versionType":"git"},{"version":"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4","lessThan":"764c9f69beabef8bdc651a7746c59f7a340d104f","status":"affected","versionType":"git"},{"version":"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4","lessThan":"fd960b5ddf4faf00da43babdd3acda68842e1f6a","status":"affected","versionType":"git"},{"version":"59c68ac31e15ad09d2cb04734e3c8c544a95f8d4","lessThan":"6883b680e703c6b2efddb4e7a8d891ce1803d06b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/core/iwcm.c"],"versions":[{"version":"4.8","status":"affected"},{"version":"0","lessThan":"4.8","status":"unaffected","versionType":"semver"},{"version":"5.4.296","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.240","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.186","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.95","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.35","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.4","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.4.296"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.10.240"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"5.15.186"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.6.95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.12.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.15.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.8","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2"},{"url":"https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5"},{"url":"https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac"},{"url":"https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1"},{"url":"https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21"},{"url":"https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f"},{"url":"https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a"},{"url":"https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b"}],"title":"RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:35:29.579Z"}}]}}