RDMA/rxe: Fix race condition in QP timer handlers_CVE-2026-45910

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix race condition in QP timer handlers

I encontered the following warning:
WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0
...
libsha1 [last unloaded: ip6_udp_tunnel]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT
Tainted: [C]=CRAP
Hardware name: Raspberry Pi 4 Model B Rev 1.2
Call trace:
rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P)
retransmit_timer+0x130/0x188 [rdma_rxe]
call_timer_fn+0x68/0x4d0
__run_timers+0x630/0x888
...
WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0
...
WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400
...
refcount_t: underflow; use-after-free.
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400

The issue is caused by a race condition between retransmit_timer() and
rxe_destroy_qp, leading to the Queue Pair's (QP) reference count dropping
to zero during timer handler execution.

It seems this warning is harmless because rxe_qp_do_cleanup() will flush
all pending timers and requests.

Example of flow causing the issue:

CPU0 CPU1
retransmit_timer() {
spin_lock_irqsave
rxe_destroy_qp()
__rxe_cleanup()
__rxe_put() // qp->ref_count decrease to 0
rxe_qp_do_cleanup() {
if (qp->valid) {
rxe_sched_task() {
WARN_ON(rxe_read(task->qp) <= 0);
}
}
spin_unlock_irqrestore
}
spin_lock_irqsave
qp->valid = 0
spin_unlock_irqrestore
}

Ensure the QP's reference count is maintained and its validity is checked
within the timer callbacks by adding calls to rxe_get(qp) and corresponding
rxe_put(qp) after use.

Basic Information

ID CVE-2026-45910

Source Linux

Published May 27, 2026 at 12:17

Modified May 30, 2026 at 10:45

Affected Product

Vendor Linux

Product Linux

Version d94671632572813e90bcf475bb4c7d51fbf20173

Affected Versions Linux Linux d94671632572813e90bcf475bb4c7d51fbf20173
Linux Linux d94671632572813e90bcf475bb4c7d51fbf20173
Linux Linux d94671632572813e90bcf475bb4c7d51fbf20173
Linux Linux d94671632572813e90bcf475bb4c7d51fbf20173
Linux Linux d94671632572813e90bcf475bb4c7d51fbf20173
Linux Linux 6.4

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix race condition in QP timer handlers\n\nI encontered the following warning:\n WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0\n...\n  libsha1 [last unloaded: ip6_udp_tunnel]\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G         C          6.19.0-rc5-64k-v8+ #37 PREEMPT\n Tainted: [C]=CRAP\n Hardware name: Raspberry Pi 4 Model B Rev 1.2\n Call trace:\n  rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P)\n  retransmit_timer+0x130/0x188 [rdma_rxe]\n  call_timer_fn+0x68/0x4d0\n  __run_timers+0x630/0x888\n...\n WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0\n...\n WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400\n...\n refcount_t: underflow; use-after-free.\n WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400\n\nThe issue is caused by a race condition between retransmit_timer() and\nrxe_destroy_qp, leading to the Queue Pair's (QP) reference count dropping\nto zero during timer handler execution.\n\nIt seems this warning is harmless because rxe_qp_do_cleanup() will flush\nall pending timers and requests.\n\nExample of flow causing the issue:\n\nCPU0                                   CPU1\nretransmit_timer() {\n    spin_lock_irqsave\n                           rxe_destroy_qp()\n                            __rxe_cleanup()\n                              __rxe_put() // qp->ref_count decrease to 0\n                            rxe_qp_do_cleanup() {\n    if (qp->valid) {\n        rxe_sched_task() {\n            WARN_ON(rxe_read(task->qp) <= 0);\n        }\n    }\n    spin_unlock_irqrestore\n}\n                              spin_lock_irqsave\n                              qp->valid = 0\n                              spin_unlock_irqrestore\n                            }\n\nEnsure the QP's reference count is maintained and its validity is checked\nwithin the timer callbacks by adding calls to rxe_get(qp) and corresponding\nrxe_put(qp) after use.",
    "published": "2026-05-27T12:17:24.619Z",
    "modified": "2026-05-30T10:45:53.742Z",
    "type": "cve",
    "title": "RDMA/rxe: Fix race condition in QP timer handlers",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/756c93d6df7c3bc599f6590b8e5afead6a41de1c\nhttps://git.kernel.org/stable/c/3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2\nhttps://git.kernel.org/stable/c/5ae9da022ee3c97e6469eabcddce9271501ddbad\nhttps://git.kernel.org/stable/c/da379ca16af3722f159860d91a99cb6976a7500f\nhttps://git.kernel.org/stable/c/87bf646921430e303176edc4eb07c30160361b73",
    "id": "CVE-2026-45910",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux d94671632572813e90bcf475bb4c7d51fbf20173\nLinux Linux d94671632572813e90bcf475bb4c7d51fbf20173\nLinux Linux d94671632572813e90bcf475bb4c7d51fbf20173\nLinux Linux d94671632572813e90bcf475bb4c7d51fbf20173\nLinux Linux d94671632572813e90bcf475bb4c7d51fbf20173\nLinux Linux 6.4",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "d94671632572813e90bcf475bb4c7d51fbf20173",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply