CVE-2025-40061

When dotask() exhausts its iteration budget (!ret), it sets the state to TASKSTATEIDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASKSTATEDRAINING state set by a concurrent call to rxecleanuptask() or rxedisable_task().

While state changes are protected by a spinlock, both rxecleanuptask() and rxedisabletask() release the lock while waiting for the task to finish draining in the while(!isdone(task)) loop. The race occurs if dotask() hits its iteration limit and acquires the lock in this window. The cleanup logic may then proceed while the task incorrectly reschedules itself, leading to a potential use-after-free.

This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost.

Fix this by restoring the original pre-migration behavior. If the state is TASKSTATEDRAINING when iterations are exhausted, set cont to 1 to force a new loop iteration. This allows the task to finish its work, so that a subsequent iteration can reach the switch statement and correctly transition the state to TASKSTATEDRAINED, stopping the task as intended.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9b4b7c1f9f54120940e243251e2b1407767b3381

Fixed

85288bcf7ffe11e7b036edf91937bc62fd384076

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9b4b7c1f9f54120940e243251e2b1407767b3381

Fixed

52edccfb555142678c836c285bf5b4ec760bd043

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9b4b7c1f9f54120940e243251e2b1407767b3381

Fixed

660b6959c4170637f5db2279d1f71af33a49e49b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9b4b7c1f9f54120940e243251e2b1407767b3381

Fixed

8ca7eada62fcfabf6ec1dc7468941e791c1d8729

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.4

v6.12.40

v6.12.41

v6.12.42

v6.12.43

v6.12.44

v6.12.45

v6.12.46

v6.12.47

v6.12.48

v6.12.49

v6.12.5

v6.12.50

v6.12.51

v6.12.52

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.17

v6.17-rc1

v6.17-rc2

v6.17-rc3

v6.17-rc4

v6.17-rc5

v6.17-rc6

v6.17-rc7

v6.17.1

v6.17.2

v6.4

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.100

v6.6.101

v6.6.102

v6.6.103

v6.6.104

v6.6.105

v6.6.106

v6.6.107

v6.6.108

v6.6.109

v6.6.11

v6.6.110

v6.6.111

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.6

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.7

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.8

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.9

v6.6.90

v6.6.91

v6.6.92

v6.6.93

v6.6.94

v6.6.95

v6.6.96

v6.6.97

v6.6.98

v6.6.99

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@52edccfb555142678c836c285bf5b4ec760bd043",
        "id": "CVE-2025-40061-2d15da14",
        "digest": {
            "function_hash": "159511708141818398770975757550958296545",
            "length": 1358.0
        },
        "signature_type": "Function",
        "target": {
            "function": "do_task",
            "file": "drivers/infiniband/sw/rxe/rxe_task.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@85288bcf7ffe11e7b036edf91937bc62fd384076",
        "id": "CVE-2025-40061-4f39511b",
        "digest": {
            "line_hashes": [
                "38639696703512155741117428239037888353",
                "210131513442867607825083621431634185483",
                "259408621248408115331150895188764595481",
                "334046674798231703641404795019298899441",
                "300693877699691293379733492322305006503"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/infiniband/sw/rxe/rxe_task.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@660b6959c4170637f5db2279d1f71af33a49e49b",
        "id": "CVE-2025-40061-5122cc0b",
        "digest": {
            "line_hashes": [
                "38639696703512155741117428239037888353",
                "210131513442867607825083621431634185483",
                "259408621248408115331150895188764595481",
                "334046674798231703641404795019298899441",
                "300693877699691293379733492322305006503"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/infiniband/sw/rxe/rxe_task.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@85288bcf7ffe11e7b036edf91937bc62fd384076",
        "id": "CVE-2025-40061-5cc7a80c",
        "digest": {
            "function_hash": "159511708141818398770975757550958296545",
            "length": 1358.0
        },
        "signature_type": "Function",
        "target": {
            "function": "do_task",
            "file": "drivers/infiniband/sw/rxe/rxe_task.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ca7eada62fcfabf6ec1dc7468941e791c1d8729",
        "id": "CVE-2025-40061-6fea32a9",
        "digest": {
            "line_hashes": [
                "38639696703512155741117428239037888353",
                "210131513442867607825083621431634185483",
                "259408621248408115331150895188764595481",
                "334046674798231703641404795019298899441",
                "300693877699691293379733492322305006503"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/infiniband/sw/rxe/rxe_task.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ca7eada62fcfabf6ec1dc7468941e791c1d8729",
        "id": "CVE-2025-40061-8d29030d",
        "digest": {
            "function_hash": "159511708141818398770975757550958296545",
            "length": 1358.0
        },
        "signature_type": "Function",
        "target": {
            "function": "do_task",
            "file": "drivers/infiniband/sw/rxe/rxe_task.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@52edccfb555142678c836c285bf5b4ec760bd043",
        "id": "CVE-2025-40061-ba042557",
        "digest": {
            "line_hashes": [
                "38639696703512155741117428239037888353",
                "210131513442867607825083621431634185483",
                "259408621248408115331150895188764595481",
                "334046674798231703641404795019298899441",
                "300693877699691293379733492322305006503"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/infiniband/sw/rxe/rxe_task.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@660b6959c4170637f5db2279d1f71af33a49e49b",
        "id": "CVE-2025-40061-bba7b199",
        "digest": {
            "function_hash": "159511708141818398770975757550958296545",
            "length": 1358.0
        },
        "signature_type": "Function",
        "target": {
            "function": "do_task",
            "file": "drivers/infiniband/sw/rxe/rxe_task.c"
        }
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.6.112

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.53

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.3