CVE-2025-40061

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix race in do_task() when draining

When dotask() exhausts its iteration budget (!ret), it sets the state to TASKSTATEIDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASKSTATEDRAINING state set by a concurrent call to rxecleanuptask() or rxedisable_task().

While state changes are protected by a spinlock, both rxecleanuptask() and rxedisabletask() release the lock while waiting for the task to finish draining in the while(!isdone(task)) loop. The race occurs if dotask() hits its iteration limit and acquires the lock in this window. The cleanup logic may then proceed while the task incorrectly reschedules itself, leading to a potential use-after-free.

This bug was introduced during the migration from tasklets to workqueues, where the special handling for the draining case was lost.

Fix this by restoring the original pre-migration behavior. If the state is TASKSTATEDRAINING when iterations are exhausted, set cont to 1 to force a new loop iteration. This allows the task to finish its work, so that a subsequent iteration can reach the switch statement and correctly transition the state to TASKSTATEDRAINED, stopping the task as intended.