{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40012","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.151Z","datePublished":"2025-10-20T15:26:57.214Z","dateUpdated":"2026-05-11T21:40:46.488Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:40:46.488Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix warning in smc_rx_splice() when calling get_page()\n\nsmc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are\nlater passed to get_page() in smc_rx_splice(). Since kmalloc memory is\nnot page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents\nholding a refcount on the buffer. This can lead to use-after-free if\nthe memory is released before splice_to_pipe() completes.\n\nUse folio_alloc() instead, ensuring DMBs are page-backed and safe for\nget_page().\n\nWARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]\nCPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE\nHardware name: IBM 3931 A01 704 (z/VM 7.4.0)\nKrnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])\n           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\nKrnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005\n           0000000000000001 001cee80007d3006 0007740000001000 001c000000000000\n           000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000\n           000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8\nKrnl Code: 0007931610326960: af000000\t\tmc\t0,0\n           0007931610326964: a7f4ff43\t\tbrc\t15,00079316103267ea\n          #0007931610326968: af000000\t\tmc\t0,0\n          >000793161032696c: a7f4ff3f\t\tbrc\t15,00079316103267ea\n           0007931610326970: e320f1000004\tlg\t%r2,256(%r15)\n           0007931610326976: c0e53fd1b5f5\tbrasl\t%r14,000793168fd5d560\n           000793161032697c: a7f4fbb5\t\tbrc\t15,00079316103260e6\n           0007931610326980: b904002b\t\tlgr\t%r2,%r11\nCall Trace:\n smc_rx_splice+0xafc/0xe20 [smc]\n smc_rx_splice+0x756/0xe20 [smc])\n smc_rx_recvmsg+0xa74/0xe00 [smc]\n smc_splice_read+0x1ce/0x3b0 [smc]\n sock_splice_read+0xa2/0xf0\n do_splice_read+0x198/0x240\n splice_file_to_pipe+0x7e/0x110\n do_splice+0x59e/0xde0\n __do_splice+0x11a/0x2d0\n __s390x_sys_splice+0x140/0x1f0\n __do_syscall+0x122/0x280\n system_call+0x6e/0x90\nLast Breaking-Event-Address:\nsmc_rx_splice+0x960/0xe20 [smc]\n---[ end trace 0000000000000000 ]---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/smc/smc_loopback.c"],"versions":[{"version":"f7a22071dbf316c982fb44308874bd7ad9ac2091","lessThan":"14fc4fdae42e34d7ee871b292ac2ecc61c2c5de7","status":"affected","versionType":"git"},{"version":"f7a22071dbf316c982fb44308874bd7ad9ac2091","lessThan":"d5411685dc2f6ac7bdf01a0a204d56cae38c6cf6","status":"affected","versionType":"git"},{"version":"f7a22071dbf316c982fb44308874bd7ad9ac2091","lessThan":"a35c04de2565db191726b5741e6b66a35002c652","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/smc/smc_loopback.c"],"versions":[{"version":"6.10","status":"affected"},{"version":"0","lessThan":"6.10","status":"unaffected","versionType":"semver"},{"version":"6.12.50","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.10","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.12.50"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.16.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/14fc4fdae42e34d7ee871b292ac2ecc61c2c5de7"},{"url":"https://git.kernel.org/stable/c/d5411685dc2f6ac7bdf01a0a204d56cae38c6cf6"},{"url":"https://git.kernel.org/stable/c/a35c04de2565db191726b5741e6b66a35002c652"}],"title":"net/smc: fix warning in smc_rx_splice() when calling get_page()","x_generator":{"engine":"bippy-1.2.0"}}}}