[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025070323-CVE-2025-38109-f925@gregkh>
Date: Thu, 3 Jul 2025 10:35:26 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38109: net/mlx5: Fix ECVF vports unload on shutdown flow
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix ECVF vports unload on shutdown flow
Fix shutdown flow UAF when a virtual function is created on the embedded
chip (ECVF) of a BlueField device. In such case the vport acl ingress
table is not properly destroyed.
ECVF functionality is independent of ecpf_vport_exists capability and
thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not
test it when enabling/disabling ECVF vports.
kernel log:
[] refcount_t: underflow; use-after-free.
[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28
refcount_warn_saturate+0x124/0x220
----------------
[] Call trace:
[] refcount_warn_saturate+0x124/0x220
[] tree_put_node+0x164/0x1e0 [mlx5_core]
[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]
[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]
[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]
[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]
[] esw_vport_cleanup+0x64/0x90 [mlx5_core]
[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]
[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]
[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]
[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]
[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]
[] mlx5_unload+0x40/0xc4 [mlx5_core]
[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]
[] mlx5_unload_one+0x3c/0x60 [mlx5_core]
[] shutdown+0x7c/0xa4 [mlx5_core]
[] pci_device_shutdown+0x3c/0xa0
[] device_shutdown+0x170/0x340
[] __do_sys_reboot+0x1f4/0x2a0
[] __arm64_sys_reboot+0x2c/0x40
[] invoke_syscall+0x78/0x100
[] el0_svc_common.constprop.0+0x54/0x184
[] do_el0_svc+0x30/0xac
[] el0_svc+0x48/0x160
[] el0t_64_sync_handler+0xa4/0x12c
[] el0t_64_sync+0x1a4/0x1a8
[] --[ end trace 9c4601d68c70030e ]---
The Linux kernel CVE team has assigned CVE-2025-38109 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.5 with commit a7719b29a82199b90ebbf355d3332e0fbfbf6045 and fixed in 6.6.94 with commit 5953ae44dfe5dbad374318875be834c3b7b71ee6
Issue introduced in 6.5 with commit a7719b29a82199b90ebbf355d3332e0fbfbf6045 and fixed in 6.12.34 with commit da15ca0553325acf68039015f2f4db750c8e2b96
Issue introduced in 6.5 with commit a7719b29a82199b90ebbf355d3332e0fbfbf6045 and fixed in 6.15.3 with commit 24db585d369f949f698e03d7d8017e5ae19d0497
Issue introduced in 6.5 with commit a7719b29a82199b90ebbf355d3332e0fbfbf6045 and fixed in 6.16-rc2 with commit 687560d8a9a2d654829ad0da1ec24242f1de711d
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-38109
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/5953ae44dfe5dbad374318875be834c3b7b71ee6
https://git.kernel.org/stable/c/da15ca0553325acf68039015f2f4db750c8e2b96
https://git.kernel.org/stable/c/24db585d369f949f698e03d7d8017e5ae19d0497
https://git.kernel.org/stable/c/687560d8a9a2d654829ad0da1ec24242f1de711d
Powered by blists - more mailing lists