{"id":"CVE-2026-45910","summary":"RDMA/rxe: Fix race condition in QP timer handlers","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix race condition in QP timer handlers\n\nI encontered the following warning:\n WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0\n...\n  libsha1 [last unloaded: ip6_udp_tunnel]\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G         C          6.19.0-rc5-64k-v8+ #37 PREEMPT\n Tainted: [C]=CRAP\n Hardware name: Raspberry Pi 4 Model B Rev 1.2\n Call trace:\n  rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P)\n  retransmit_timer+0x130/0x188 [rdma_rxe]\n  call_timer_fn+0x68/0x4d0\n  __run_timers+0x630/0x888\n...\n WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0\n...\n WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400\n...\n refcount_t: underflow; use-after-free.\n WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400\n\nThe issue is caused by a race condition between retransmit_timer() and\nrxe_destroy_qp, leading to the Queue Pair's (QP) reference count dropping\nto zero during timer handler execution.\n\nIt seems this warning is harmless because rxe_qp_do_cleanup() will flush\nall pending timers and requests.\n\nExample of flow causing the issue:\n\nCPU0                                   CPU1\nretransmit_timer() {\n    spin_lock_irqsave\n                           rxe_destroy_qp()\n                            __rxe_cleanup()\n                              __rxe_put() // qp-\u003eref_count decrease to 0\n                            rxe_qp_do_cleanup() {\n    if (qp-\u003evalid) {\n        rxe_sched_task() {\n            WARN_ON(rxe_read(task-\u003eqp) \u003c= 0);\n        }\n    }\n    spin_unlock_irqrestore\n}\n                              spin_lock_irqsave\n                              qp-\u003evalid = 0\n                              spin_unlock_irqrestore\n                            }\n\nEnsure the QP's reference count is maintained and its validity is checked\nwithin the timer callbacks by adding calls to rxe_get(qp) and corresponding\nrxe_put(qp) after use.","modified":"2026-06-26T11:56:33.108336918Z","published":"2026-05-27T12:17:24.619Z","related":["SUSE-SU-2026:22099-1","SUSE-SU-2026:22108-1","SUSE-SU-2026:22112-1","SUSE-SU-2026:22127-1","SUSE-SU-2026:22137-1","SUSE-SU-2026:2310-1","SUSE-SU-2026:2482-1","SUSE-SU-2026:2591-1","openSUSE-SU-2026:20965-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45910.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5ae9da022ee3c97e6469eabcddce9271501ddbad"},{"type":"WEB","url":"https://git.kernel.org/stable/c/756c93d6df7c3bc599f6590b8e5afead6a41de1c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/87bf646921430e303176edc4eb07c30160361b73"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da379ca16af3722f159860d91a99cb6976a7500f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45910.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45910"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d94671632572813e90bcf475bb4c7d51fbf20173"},{"fixed":"756c93d6df7c3bc599f6590b8e5afead6a41de1c"},{"fixed":"3c2ae79fb19dfd67341c14f1e78a5f1744eacfe2"},{"fixed":"5ae9da022ee3c97e6469eabcddce9271501ddbad"},{"fixed":"da379ca16af3722f159860d91a99cb6976a7500f"},{"fixed":"87bf646921430e303176edc4eb07c30160361b73"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45910.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.4.0"},{"fixed":"6.6.128"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45910.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}