| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026011339-CVE-2025-71084-52a2@gregkh> Date: Tue, 13 Jan 2026 16:35:43 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-71084: RDMA/cm: Fix leaking the multicast GID table reference From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886 Destroy the ah_attr after canceling the work, it is safe to call this twice. The Linux kernel CVE team has assigned CVE-2025-71084 to this issue. Affected and fixed versions =========================== Issue introduced in 5.12 with commit fe454dc31e84f8c14cb8942fcb61666c9f40745b and fixed in 6.1.160 with commit ab668a58c4a2ccb6d54add7a76f2f955d15d0196 Issue introduced in 5.12 with commit fe454dc31e84f8c14cb8942fcb61666c9f40745b and fixed in 6.6.120 with commit c0acdee513239e1d6e1b490f56be0e6837dfd162 Issue introduced in 5.12 with commit fe454dc31e84f8c14cb8942fcb61666c9f40745b and fixed in 6.12.64 with commit 5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3 Issue introduced in 5.12 with commit fe454dc31e84f8c14cb8942fcb61666c9f40745b and fixed in 6.18.4 with commit 3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5 Issue introduced in 5.12 with commit fe454dc31e84f8c14cb8942fcb61666c9f40745b and fixed in 6.19-rc4 with commit 57f3cb6c84159d12ba343574df2115fb18dd83ca Issue introduced in 5.10.20 with commit 60d613b39e8d0c9f3b526e9c96445422b4562d76 Issue introduced in 5.11.3 with commit a3262b3884dd67b4c5632ce7cdf9cff9d1a575d4 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-71084 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/infiniband/core/cma.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196 https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162 https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3 https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5 https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca
Powered by blists - more mailing lists