CVE-2026-45898

In the Linux kernel, the following vulnerability has been resolved:

RDMA/iwcm: Fix workqueue list corruption by removing work_list

The commit e1168f0 ("RDMA/iwcm: Simplify cmeventhandler()") changed the work submission logic to unconditionally call queuework() with the expectation that queuework() would have no effect if work was already pending. The problem is that a free list of struct iwcmwork is used (for which struct workstruct is embedded), so each call to queue_work() is basically unique and therefore does indeed queue the work.

This causes a problem in the work handler which walks the worklist until it's empty to process entries. This means that a single run of the work handler could process item N+1 and release it back to the free list while the actual workqueue entry is still queued. It could then get reused (INITWORK...) and lead to list corruption in the workqueue logic.

Fix this by just removing the work_list. The workqueue already does this for us.

This fixes the following error that was observed when stress testing with ucmatose on an Intel E830 in iWARP mode:

[ 151.465780] listdel corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08) [ 151.466639] ------------[ cut here ]------------ [ 151.466986] kernel BUG at lib/listdebug.c:67! [ 151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary) [ 151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 151.469192] Workqueue: 0x0 (iwcmwq) [ 151.469478] RIP: 0010:__listdelentry_validorreport+0xf0/0x100 [ 151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 [ 151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046 [ 151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027 [ 151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600 [ 151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff [ 151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68 [ 151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000 [ 151.474344] FS: 0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000 [ 151.474934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0 [ 151.475895] PKRU: 55555554 [ 151.476118] Call Trace: [ 151.476331] <TASK> [ 151.476497] movelinkedworks+0x49/0xa0 [ 151.476792] __pwqactivatework.isra.46+0x2f/0xa0 [ 151.477151] pwq_decnrinflight+0x1e0/0x2f0 [ 151.477479] processscheduledworks+0x1c8/0x410 [ 151.477823] workerthread+0x125/0x260 [ 151.478108] ? __pfxworkerthread+0x10/0x10 [ 151.478430] kthread+0xfe/0x240 [ 151.478671] ? __pfx_kthread+0x10/0x10 [ 151.478955] ? __pfxkthread+0x10/0x10 [ 151.479240] retfrom_fork+0x208/0x270 [ 151.479523] ? __pfxkthread+0x10/0x10 [ 151.479806] retfromforkasm+0x1a/0x30 [ 151.480103] </TASK>