{"id":71999,"date":"2025-10-20T19:45:37","date_gmt":"2025-10-20T16:15:37","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-40012-net-smc-fix-warning-in-smc_rx_splice-when-calling-get_page\/"},"modified":"2025-10-20T19:45:37","modified_gmt":"2025-10-20T16:15:37","slug":"cve-2025-40012-net-smc-fix-warning-in-smc_rx_splice-when-calling-get_page","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-40012-net-smc-fix-warning-in-smc_rx_splice-when-calling-get_page\/","title":{"rendered":"CVE-2025-40012 &#8211; net\/smc: fix warning in smc_rx_splice() when calling get_page()"},"content":{"rendered":"<p>CVE ID : CVE-2025-40012<\/p>\n<p>Published :  Oct. 20, 2025, 4:15 p.m. | 26\u00a0minutes ago<\/p>\n<p>Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>net\/smc: fix warning in smc_rx_splice() when calling get_page()<\/p>\n<p>smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are<br \/>\nlater passed to get_page() in smc_rx_splice(). Since kmalloc memory is<br \/>\nnot page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents<br \/>\nholding a refcount on the buffer. This can lead to use-after-free if<br \/>\nthe memory is released before splice_to_pipe() completes.<\/p>\n<p>Use folio_alloc() instead, ensuring DMBs are page-backed and safe for<br \/>\nget_page().<\/p>\n<p>WARNING: CPU: 18 PID: 12152 at .\/include\/linux\/mm.h:1330 smc_rx_splice+0xaf8\/0xe20 [smc]\nCPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE<br \/>\nHardware name: IBM 3931 A01 704 (z\/VM 7.4.0)<br \/>\nKrnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc\/0xe20 [smc])<br \/>\n           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3<br \/>\nKrnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005<br \/>\n           0000000000000001 001cee80007d3006 0007740000001000 001c000000000000<br \/>\n           000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000<br \/>\n           000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8<br \/>\nKrnl Code: 0007931610326960: af000000\t\tmc\t0,0<br \/>\n           0007931610326964: a7f4ff43\t\tbrc\t15,00079316103267ea<br \/>\n          #0007931610326968: af000000\t\tmc\t0,0<br \/>\n          &gt;000793161032696c: a7f4ff3f\t\tbrc\t15,00079316103267ea<br \/>\n           0007931610326970: e320f1000004\tlg\t%r2,256(%r15)<br \/>\n           0007931610326976: c0e53fd1b5f5\tbrasl\t%r14,000793168fd5d560<br \/>\n           000793161032697c: a7f4fbb5\t\tbrc\t15,00079316103260e6<br \/>\n           0007931610326980: b904002b\t\tlgr\t%r2,%r11<br \/>\nCall Trace:<br \/>\n smc_rx_splice+0xafc\/0xe20 [smc]\n smc_rx_splice+0x756\/0xe20 [smc])<br \/>\n smc_rx_recvmsg+0xa74\/0xe00 [smc]\n smc_splice_read+0x1ce\/0x3b0 [smc]\n sock_splice_read+0xa2\/0xf0<br \/>\n do_splice_read+0x198\/0x240<br \/>\n splice_file_to_pipe+0x7e\/0x110<br \/>\n do_splice+0x59e\/0xde0<br \/>\n __do_splice+0x11a\/0x2d0<br \/>\n __s390x_sys_splice+0x140\/0x1f0<br \/>\n __do_syscall+0x122\/0x280<br \/>\n system_call+0x6e\/0x90<br \/>\nLast Breaking-Event-Address:<br \/>\nsmc_rx_splice+0x960\/0xe20 [smc]\n&#8212;[ end trace 0000000000000000 ]&#8212;<\/p>\n<p>Severity: 0.0 | NA<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-40012 Published : Oct. 20, 2025, 4:15 p.m. | 26\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: net\/smc: fix warning in smc_rx_splice() when calling get_page() smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are later passed to get_page() in smc_rx_splice(). Since kmalloc memory is not page-backed, this &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-71999","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71999","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=71999"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71999\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=71999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=71999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=71999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}