Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

017 - Ir a la línea de ayuda en Ciberseguridad    Ir a Agenda     Ir a Sala de prensa     Ir a suscripción de boletines

Ir al buscador

CVE-2025-40012

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
20/10/2025
Última modificación:
21/10/2025

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: fix warning in smc_rx_splice() when calling get_page()<br /> <br /> smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are<br /> later passed to get_page() in smc_rx_splice(). Since kmalloc memory is<br /> not page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents<br /> holding a refcount on the buffer. This can lead to use-after-free if<br /> the memory is released before splice_to_pipe() completes.<br /> <br /> Use folio_alloc() instead, ensuring DMBs are page-backed and safe for<br /> get_page().<br /> <br /> WARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]<br /> CPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE<br /> Hardware name: IBM 3931 A01 704 (z/VM 7.4.0)<br /> Krnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])<br /> R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3<br /> Krnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005<br /> 0000000000000001 001cee80007d3006 0007740000001000 001c000000000000<br /> 000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000<br /> 000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8<br /> Krnl Code: 0007931610326960: af000000 mc 0,0<br /> 0007931610326964: a7f4ff43 brc 15,00079316103267ea<br /> #0007931610326968: af000000 mc 0,0<br /> &gt;000793161032696c: a7f4ff3f brc 15,00079316103267ea<br /> 0007931610326970: e320f1000004 lg %r2,256(%r15)<br /> 0007931610326976: c0e53fd1b5f5 brasl %r14,000793168fd5d560<br /> 000793161032697c: a7f4fbb5 brc 15,00079316103260e6<br /> 0007931610326980: b904002b lgr %r2,%r11<br /> Call Trace:<br /> smc_rx_splice+0xafc/0xe20 [smc]<br /> smc_rx_splice+0x756/0xe20 [smc])<br /> smc_rx_recvmsg+0xa74/0xe00 [smc]<br /> smc_splice_read+0x1ce/0x3b0 [smc]<br /> sock_splice_read+0xa2/0xf0<br /> do_splice_read+0x198/0x240<br /> splice_file_to_pipe+0x7e/0x110<br /> do_splice+0x59e/0xde0<br /> __do_splice+0x11a/0x2d0<br /> __s390x_sys_splice+0x140/0x1f0<br /> __do_syscall+0x122/0x280<br /> system_call+0x6e/0x90<br /> Last Breaking-Event-Address:<br /> smc_rx_splice+0x960/0xe20 [smc]<br /> ---[ end trace 0000000000000000 ]---

Impacto

Referencias a soluciones, herramientas e información