In the Linux kernel, following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free resources on last deref") simplified resource management by freeing once all references to were removed. The references are removed either upon completion iw_cm event handlers or when application destroys the cm_id. This introduced condition where cm_id_private object could still be in use handler works during the destruction aee2424246f9 ("RDMA/iwcm: a use-after-free related destroying CM IDs") addressed this use-after- free flushing all pending at destruction. However, another possibility remained. It happens with allocated for each cm_id_priv within alloc_work_entries() during creation, and subsequently freed in dealloc_work_entries() removed. If cm_id's last reference is decremented work, the itself gets removed, causes use- after-free BUG below: BUG: KASAN: slab-use-after-free __pwq_activate_work+0x1ff/0x250 Read size 8 addr ffff88811f9cf800 task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace: dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 kasan_report+0xae/0x170 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 __pfx_process_one_work+0x10/0x10 assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 __pfx_kthread+0x10/0x10 rcu_is_watching+0x11/0xb0 _raw_spin_unlock_irq+0x24/0x50 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Allocated 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 cma_work_handler+0x106/0x1b0 process_one_work+0x84f/0x1460 ret_from_fork_asm+0x1a/0x30 Freed 147091: kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 iwcm_deref_id+0x6f/0xa0 cm_work_handler+0x136/0x1ba0 Last potentially creation: kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 ret_from_fork_asm+0x1a/0x30 This reproducible repeating blktests test case nvme/061 for rdma transport siw driver. To avoid cm_id_private objects, ensure that the not handler works, but context. For that purpose, mo ---truncated---