CVE-2025-38544

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix bug due to prealloc collision<br /> <br /> When userspace is using AF_RXRPC to provide a server, it has to preallocate<br /> incoming calls and assign to them call IDs that will be used to thread<br /> related recvmsg() and sendmsg() together. The preallocated call IDs will<br /> automatically be attached to calls as they come in until the pool is empty.<br /> <br /> To the kernel, the call IDs are just arbitrary numbers, but userspace can<br /> use the call ID to hold a pointer to prepared structs. In any case, the<br /> user isn&amp;#39;t permitted to create two calls with the same call ID (call IDs<br /> become available again when the call ends) and EBADSLT should result from<br /> sendmsg() if an attempt is made to preallocate a call with an in-use call<br /> ID.<br /> <br /> However, the cleanup in the error handling will trigger both assertions in<br /> rxrpc_cleanup_call() because the call isn&amp;#39;t marked complete and isn&amp;#39;t<br /> marked as having been released.<br /> <br /> Fix this by setting the call state in rxrpc_service_prealloc_one() and then<br /> marking it as being released before calling the cleanup function.