CVE-2026-45910
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-362
Ejecución concurrente utilizando recursos compartidos con una incorrecta sincronización (Condición de carrera)
Fecha de publicación:
27/05/2026
Última modificación:
24/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
RDMA/rxe: Fix race condition in QP timer handlers<br />
<br />
I encontered the following warning:<br />
WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0<br />
...<br />
libsha1 [last unloaded: ip6_udp_tunnel]<br />
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT<br />
Tainted: [C]=CRAP<br />
Hardware name: Raspberry Pi 4 Model B Rev 1.2<br />
Call trace:<br />
rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P)<br />
retransmit_timer+0x130/0x188 [rdma_rxe]<br />
call_timer_fn+0x68/0x4d0<br />
__run_timers+0x630/0x888<br />
...<br />
WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0<br />
...<br />
WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400<br />
...<br />
refcount_t: underflow; use-after-free.<br />
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400<br />
<br />
The issue is caused by a race condition between retransmit_timer() and<br />
rxe_destroy_qp, leading to the Queue Pair&#39;s (QP) reference count dropping<br />
to zero during timer handler execution.<br />
<br />
It seems this warning is harmless because rxe_qp_do_cleanup() will flush<br />
all pending timers and requests.<br />
<br />
Example of flow causing the issue:<br />
<br />
CPU0 CPU1<br />
retransmit_timer() {<br />
spin_lock_irqsave<br />
rxe_destroy_qp()<br />
__rxe_cleanup()<br />
__rxe_put() // qp->ref_count decrease to 0<br />
rxe_qp_do_cleanup() {<br />
if (qp->valid) {<br />
rxe_sched_task() {<br />
WARN_ON(rxe_read(task->qp) valid = 0<br />
spin_unlock_irqrestore<br />
}<br />
<br />
Ensure the QP&#39;s reference count is maintained and its validity is checked<br />
within the timer callbacks by adding calls to rxe_get(qp) and corresponding<br />
rxe_put(qp) after use.
Impacto
Puntuación base 3.x
7.80
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.4 (incluyendo) | 6.6.128 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.75 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2
- https://git.kernel.org/stable/c/5ae9da022ee3c97e6469eabcddce9271501ddbad
- https://git.kernel.org/stable/c/756c93d6df7c3bc599f6590b8e5afead6a41de1c
- https://git.kernel.org/stable/c/87bf646921430e303176edc4eb07c30160361b73
- https://git.kernel.org/stable/c/da379ca16af3722f159860d91a99cb6976a7500f



