CVE-2025-39932
- Source
- https://cve.org/CVERecord?id=CVE-2025-39932
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39932.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39932
- Downstream
- Published
- 2025-10-04T07:30:56.726Z
- Modified
- 2026-03-09T23:52:29.244358Z
- Summary
- smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
smb: client: let smbddestroy() call disableworksync(&info->postsendcreditswork)
In smbddestroy() we may destroy the memory so we better wait until postsendcreditswork is no longer pending and will never be started again.
I actually just hit the case using rxe:
WARNING: CPU: 0 PID: 138 at drivers/infiniband/sw/rxe/rxeverbs.c:1032 rxepostrecv+0x1ee/0x480 [rdmarxe] ... [ 5305.686979] [ T138] smbdpostrecv+0x445/0xc10 [cifs] [ 5305.687135] [ T138] ? srsoaliasreturn_thunk+0x5/0xfbef5 [ 5305.687149] [ T138] ? __kasancheckwrite+0x14/0x30 [ 5305.687185] [ T138] ? __pfxsmbdpostrecv+0x10/0x10 [cifs] [ 5305.687329] [ T138] ? pfxrawspinlockirqsave+0x10/0x10 [ 5305.687356] [ T138] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 5305.687368] [ T138] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 5305.687378] [ T138] ? rawspinunlockirqrestore+0x11/0x60 [ 5305.687389] [ T138] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 5305.687399] [ T138] ? getreceivebuffer+0x168/0x210 [cifs] [ 5305.687555] [ T138] smbdpostsendcredits+0x382/0x4b0 [cifs] [ 5305.687701] [ T138] ? __pfxsmbdpostsendcredits+0x10/0x10 [cifs] [ 5305.687855] [ T138] ? pfxschedule+0x10/0x10 [ 5305.687865] [ T138] ? pfxrawspinlockirq+0x10/0x10 [ 5305.687875] [ T138] ? queuedelayedworkon+0x8e/0xa0 [ 5305.687889] [ T138] processonework+0x629/0xf80 [ 5305.687908] [ T138] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 5305.687917] [ T138] ? _kasancheckwrite+0x14/0x30 [ 5305.687933] [ T138] workerthread+0x87f/0x1570 ...
It means rxepostrecv was called after rdmadestroyqp(). This happened because putreceivebuffer() was triggered by ibdrainqp() and called: queuework(info->workqueue, &info->postsendcreditswork);
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39932.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/3fabb1236f2e3ad78d531be0a4ad9f4a4ccdda87
- https://git.kernel.org/stable/c/6ae90a2baf923e85eb037b636aa641250bf4220f
- https://git.kernel.org/stable/c/d9dcbbcf9145b68aa85c40947311a6907277e097
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39932.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-39932