Home

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race condition in QP timer handlers I encontered the following warning: WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0 ... libsha1 [last unloaded: ip6_udp_tunnel] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT Tainted: [C]=CRAP Hardware name: Raspberry Pi 4 Model B Rev 1.2 Call trace: rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P) retransmit_timer+0x130/0x188 [rdma_rxe] call_timer_fn+0x68/0x4d0 __run_timers+0x630/0x888 ... WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0 ... WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400 ... refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400 The issue is caused by a race condition between retransmit_timer() and rxe_destroy_qp, leading to the Queue Pair's (QP) reference count dropping to zero during timer handler execution. It seems this warning is harmless because rxe_qp_do_cleanup() will flush all pending timers and requests. Example of flow causing the issue: CPU0 CPU1 retransmit_timer() { spin_lock_irqsave rxe_destroy_qp() __rxe_cleanup() __rxe_put() // qp->ref_count decrease to 0 rxe_qp_do_cleanup() { if (qp->valid) { rxe_sched_task() { WARN_ON(rxe_read(task->qp) <= 0); } } spin_unlock_irqrestore } spin_lock_irqsave qp->valid = 0 spin_unlock_irqrestore } Ensure the QP's reference count is maintained and its validity is checked within the timer callbacks by adding calls to rxe_get(qp) and corresponding rxe_put(qp) after use.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-05-30 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

d94671632572813e90bcf475bb4c7d51fbf20173 (git) before 756c93d6df7c3bc599f6590b8e5afead6a41de1c
affected

d94671632572813e90bcf475bb4c7d51fbf20173 (git) before 3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2
affected

d94671632572813e90bcf475bb4c7d51fbf20173 (git) before 5ae9da022ee3c97e6469eabcddce9271501ddbad
affected

d94671632572813e90bcf475bb4c7d51fbf20173 (git) before da379ca16af3722f159860d91a99cb6976a7500f
affected

d94671632572813e90bcf475bb4c7d51fbf20173 (git) before 87bf646921430e303176edc4eb07c30160361b73
affected

Default status
affected

6.4
affected

Any version before 6.4
unaffected

6.6.128 (semver)
unaffected

6.12.75 (semver)
unaffected

6.18.14 (semver)
unaffected

6.19.4 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/756c93d6df7c3bc599f6590b8e5afead6a41de1c

git.kernel.org/...c/3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2

git.kernel.org/...c/5ae9da022ee3c97e6469eabcddce9271501ddbad

git.kernel.org/...c/da379ca16af3722f159860d91a99cb6976a7500f

git.kernel.org/...c/87bf646921430e303176edc4eb07c30160361b73

cve.org (CVE-2026-45910)

nvd.nist.gov (CVE-2026-45910)

Download JSON