CVE-2025-40012 (GCVE-0-2025-40012)
Vulnerability from cvelistv5
Published
2025-10-20 15:26
Modified
2025-10-20 15:26
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix warning in smc_rx_splice() when calling get_page() smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are later passed to get_page() in smc_rx_splice(). Since kmalloc memory is not page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents holding a refcount on the buffer. This can lead to use-after-free if the memory is released before splice_to_pipe() completes. Use folio_alloc() instead, ensuring DMBs are page-backed and safe for get_page(). WARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc] CPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE Hardware name: IBM 3931 A01 704 (z/VM 7.4.0) Krnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc]) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005 0000000000000001 001cee80007d3006 0007740000001000 001c000000000000 000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000 000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8 Krnl Code: 0007931610326960: af000000 mc 0,0 0007931610326964: a7f4ff43 brc 15,00079316103267ea #0007931610326968: af000000 mc 0,0 >000793161032696c: a7f4ff3f brc 15,00079316103267ea 0007931610326970: e320f1000004 lg %r2,256(%r15) 0007931610326976: c0e53fd1b5f5 brasl %r14,000793168fd5d560 000793161032697c: a7f4fbb5 brc 15,00079316103260e6 0007931610326980: b904002b lgr %r2,%r11 Call Trace: smc_rx_splice+0xafc/0xe20 [smc] smc_rx_splice+0x756/0xe20 [smc]) smc_rx_recvmsg+0xa74/0xe00 [smc] smc_splice_read+0x1ce/0x3b0 [smc] sock_splice_read+0xa2/0xf0 do_splice_read+0x198/0x240 splice_file_to_pipe+0x7e/0x110 do_splice+0x59e/0xde0 __do_splice+0x11a/0x2d0 __s390x_sys_splice+0x140/0x1f0 __do_syscall+0x122/0x280 system_call+0x6e/0x90 Last Breaking-Event-Address: smc_rx_splice+0x960/0xe20 [smc] ---[ end trace 0000000000000000 ]---
References
Impacted products
Vendor Product Version
Linux Linux Version: f7a22071dbf316c982fb44308874bd7ad9ac2091
Version: f7a22071dbf316c982fb44308874bd7ad9ac2091
Version: f7a22071dbf316c982fb44308874bd7ad9ac2091
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_loopback.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "14fc4fdae42e34d7ee871b292ac2ecc61c2c5de7",
              "status": "affected",
              "version": "f7a22071dbf316c982fb44308874bd7ad9ac2091",
              "versionType": "git"
            },
            {
              "lessThan": "d5411685dc2f6ac7bdf01a0a204d56cae38c6cf6",
              "status": "affected",
              "version": "f7a22071dbf316c982fb44308874bd7ad9ac2091",
              "versionType": "git"
            },
            {
              "lessThan": "a35c04de2565db191726b5741e6b66a35002c652",
              "status": "affected",
              "version": "f7a22071dbf316c982fb44308874bd7ad9ac2091",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_loopback.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.50",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.50",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.10",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix warning in smc_rx_splice() when calling get_page()\n\nsmc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are\nlater passed to get_page() in smc_rx_splice(). Since kmalloc memory is\nnot page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents\nholding a refcount on the buffer. This can lead to use-after-free if\nthe memory is released before splice_to_pipe() completes.\n\nUse folio_alloc() instead, ensuring DMBs are page-backed and safe for\nget_page().\n\nWARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]\nCPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE\nHardware name: IBM 3931 A01 704 (z/VM 7.4.0)\nKrnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])\n           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\nKrnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005\n           0000000000000001 001cee80007d3006 0007740000001000 001c000000000000\n           000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000\n           000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8\nKrnl Code: 0007931610326960: af000000\t\tmc\t0,0\n           0007931610326964: a7f4ff43\t\tbrc\t15,00079316103267ea\n          #0007931610326968: af000000\t\tmc\t0,0\n          \u003e000793161032696c: a7f4ff3f\t\tbrc\t15,00079316103267ea\n           0007931610326970: e320f1000004\tlg\t%r2,256(%r15)\n           0007931610326976: c0e53fd1b5f5\tbrasl\t%r14,000793168fd5d560\n           000793161032697c: a7f4fbb5\t\tbrc\t15,00079316103260e6\n           0007931610326980: b904002b\t\tlgr\t%r2,%r11\nCall Trace:\n smc_rx_splice+0xafc/0xe20 [smc]\n smc_rx_splice+0x756/0xe20 [smc])\n smc_rx_recvmsg+0xa74/0xe00 [smc]\n smc_splice_read+0x1ce/0x3b0 [smc]\n sock_splice_read+0xa2/0xf0\n do_splice_read+0x198/0x240\n splice_file_to_pipe+0x7e/0x110\n do_splice+0x59e/0xde0\n __do_splice+0x11a/0x2d0\n __s390x_sys_splice+0x140/0x1f0\n __do_syscall+0x122/0x280\n system_call+0x6e/0x90\nLast Breaking-Event-Address:\nsmc_rx_splice+0x960/0xe20 [smc]\n---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-20T15:26:57.214Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/14fc4fdae42e34d7ee871b292ac2ecc61c2c5de7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5411685dc2f6ac7bdf01a0a204d56cae38c6cf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/a35c04de2565db191726b5741e6b66a35002c652"
        }
      ],
      "title": "net/smc: fix warning in smc_rx_splice() when calling get_page()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40012",
    "datePublished": "2025-10-20T15:26:57.214Z",
    "dateReserved": "2025-04-16T07:20:57.151Z",
    "dateUpdated": "2025-10-20T15:26:57.214Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40012\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-20T16:15:37.937\",\"lastModified\":\"2025-10-21T19:31:25.450\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/smc: fix warning in smc_rx_splice() when calling get_page()\\n\\nsmc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are\\nlater passed to get_page() in smc_rx_splice(). Since kmalloc memory is\\nnot page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents\\nholding a refcount on the buffer. This can lead to use-after-free if\\nthe memory is released before splice_to_pipe() completes.\\n\\nUse folio_alloc() instead, ensuring DMBs are page-backed and safe for\\nget_page().\\n\\nWARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]\\nCPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE\\nHardware name: IBM 3931 A01 704 (z/VM 7.4.0)\\nKrnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])\\n           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\\nKrnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005\\n           0000000000000001 001cee80007d3006 0007740000001000 001c000000000000\\n           000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000\\n           000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8\\nKrnl Code: 0007931610326960: af000000\\t\\tmc\\t0,0\\n           0007931610326964: a7f4ff43\\t\\tbrc\\t15,00079316103267ea\\n          #0007931610326968: af000000\\t\\tmc\\t0,0\\n          \u003e000793161032696c: a7f4ff3f\\t\\tbrc\\t15,00079316103267ea\\n           0007931610326970: e320f1000004\\tlg\\t%r2,256(%r15)\\n           0007931610326976: c0e53fd1b5f5\\tbrasl\\t%r14,000793168fd5d560\\n           000793161032697c: a7f4fbb5\\t\\tbrc\\t15,00079316103260e6\\n           0007931610326980: b904002b\\t\\tlgr\\t%r2,%r11\\nCall Trace:\\n smc_rx_splice+0xafc/0xe20 [smc]\\n smc_rx_splice+0x756/0xe20 [smc])\\n smc_rx_recvmsg+0xa74/0xe00 [smc]\\n smc_splice_read+0x1ce/0x3b0 [smc]\\n sock_splice_read+0xa2/0xf0\\n do_splice_read+0x198/0x240\\n splice_file_to_pipe+0x7e/0x110\\n do_splice+0x59e/0xde0\\n __do_splice+0x11a/0x2d0\\n __s390x_sys_splice+0x140/0x1f0\\n __do_syscall+0x122/0x280\\n system_call+0x6e/0x90\\nLast Breaking-Event-Address:\\nsmc_rx_splice+0x960/0xe20 [smc]\\n---[ end trace 0000000000000000 ]---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/14fc4fdae42e34d7ee871b292ac2ecc61c2c5de7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a35c04de2565db191726b5741e6b66a35002c652\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d5411685dc2f6ac7bdf01a0a204d56cae38c6cf6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.