CVE-2025-40061

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix race in do_task() when draining<br /> <br /> When do_task() exhausts its iteration budget (!ret), it sets the state<br /> to TASK_STATE_IDLE to reschedule, without a secondary check on the<br /> current task-&gt;state. This can overwrite the TASK_STATE_DRAINING state<br /> set by a concurrent call to rxe_cleanup_task() or rxe_disable_task().<br /> <br /> While state changes are protected by a spinlock, both rxe_cleanup_task()<br /> and rxe_disable_task() release the lock while waiting for the task to<br /> finish draining in the while(!is_done(task)) loop. The race occurs if<br /> do_task() hits its iteration limit and acquires the lock in this window.<br /> The cleanup logic may then proceed while the task incorrectly<br /> reschedules itself, leading to a potential use-after-free.<br /> <br /> This bug was introduced during the migration from tasklets to workqueues,<br /> where the special handling for the draining case was lost.<br /> <br /> Fix this by restoring the original pre-migration behavior. If the state is<br /> TASK_STATE_DRAINING when iterations are exhausted, set cont to 1 to<br /> force a new loop iteration. This allows the task to finish its work, so<br /> that a subsequent iteration can reach the switch statement and correctly<br /> transition the state to TASK_STATE_DRAINED, stopping the task as intended.