Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

017 - Ir a la línea de ayuda en Ciberseguridad    Ir a Agenda     Ir a Sala de prensa     Ir a suscripción de boletines

Ir al buscador

CVE-2025-39932

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
04/10/2025
Última modificación:
06/10/2025

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: let smbd_destroy() call disable_work_sync(&amp;info-&gt;post_send_credits_work)<br /> <br /> In smbd_destroy() we may destroy the memory so we better<br /> wait until post_send_credits_work is no longer pending<br /> and will never be started again.<br /> <br /> I actually just hit the case using rxe:<br /> <br /> WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxe_verbs.c:1032 rxe_post_recv+0x1ee/0x480 [rdma_rxe]<br /> ...<br /> [ 5305.686979] [ T138] smbd_post_recv+0x445/0xc10 [cifs]<br /> [ 5305.687135] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687149] [ T138] ? __kasan_check_write+0x14/0x30<br /> [ 5305.687185] [ T138] ? __pfx_smbd_post_recv+0x10/0x10 [cifs]<br /> [ 5305.687329] [ T138] ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> [ 5305.687356] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687368] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687378] [ T138] ? _raw_spin_unlock_irqrestore+0x11/0x60<br /> [ 5305.687389] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687399] [ T138] ? get_receive_buffer+0x168/0x210 [cifs]<br /> [ 5305.687555] [ T138] smbd_post_send_credits+0x382/0x4b0 [cifs]<br /> [ 5305.687701] [ T138] ? __pfx_smbd_post_send_credits+0x10/0x10 [cifs]<br /> [ 5305.687855] [ T138] ? __pfx___schedule+0x10/0x10<br /> [ 5305.687865] [ T138] ? __pfx__raw_spin_lock_irq+0x10/0x10<br /> [ 5305.687875] [ T138] ? queue_delayed_work_on+0x8e/0xa0<br /> [ 5305.687889] [ T138] process_one_work+0x629/0xf80<br /> [ 5305.687908] [ T138] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 5305.687917] [ T138] ? __kasan_check_write+0x14/0x30<br /> [ 5305.687933] [ T138] worker_thread+0x87f/0x1570<br /> ...<br /> <br /> It means rxe_post_recv was called after rdma_destroy_qp().<br /> This happened because put_receive_buffer() was triggered<br /> by ib_drain_qp() and called:<br /> queue_work(info-&gt;workqueue, &amp;info-&gt;post_send_credits_work);

Impacto

Referencias a soluciones, herramientas e información