CVE-2025-40012

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix warning in smcrxsplice() when calling get_page()

smcloregisterdmb() allocates DMB buffers with kzalloc(), which are later passed to getpage() in smcrxsplice(). Since kmalloc memory is not page-backed, this triggers WARNONONCE() in getpage() and prevents holding a refcount on the buffer. This can lead to use-after-free if the memory is released before spliceto_pipe() completes.

Use folioalloc() instead, ensuring DMBs are page-backed and safe for getpage().

WARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smcrxsplice+0xaf8/0xe20 [smc] CPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE Hardware name: IBM 3931 A01 704 (z/VM 7.4.0) Krnl PSW : 0704e00180000000 000793161032696c (smcrxsplice+0xafc/0xe20 [smc]) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005 0000000000000001 001cee80007d3006 0007740000001000 001c000000000000 000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000 000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8 Krnl Code: 0007931610326960: af000000 mc 0,0 0007931610326964: a7f4ff43 brc 15,00079316103267ea #0007931610326968: af000000 mc 0,0

000793161032696c: a7f4ff3f brc 15,00079316103267ea 0007931610326970: e320f1000004 lg %r2,256(%r15) 0007931610326976: c0e53fd1b5f5 brasl %r14,000793168fd5d560 000793161032697c: a7f4fbb5 brc 15,00079316103260e6 0007931610326980: b904002b lgr %r2,%r11 Call Trace: smcrxsplice+0xafc/0xe20 [smc] smcrxsplice+0x756/0xe20 [smc]) smcrxrecvmsg+0xa74/0xe00 [smc] smcspliceread+0x1ce/0x3b0 [smc] sockspliceread+0xa2/0xf0 dospliceread+0x198/0x240 splicefiletopipe+0x7e/0x110 dosplice+0x59e/0xde0 _dosplice+0x11a/0x2d0 _s390xsyssplice+0x140/0x1f0 _dosyscall+0x122/0x280 systemcall+0x6e/0x90 Last Breaking-Event-Address: smcrxsplice+0x960/0xe20 [smc] ---[ end trace 0000000000000000 ]---