| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025121633-CVE-2025-68209-2e49@gregkh> Date: Tue, 16 Dec 2025 14:54:38 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-68209: mlx5: Fix default values in create CQ From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs. The Linux kernel CVE team has assigned CVE-2025-68209 to this issue. Affected and fixed versions =========================== Issue introduced in 6.0 with commit cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa and fixed in 6.17.9 with commit 08469f5393a1a39f26a6e2eb2e8c33187665c1f4 Issue introduced in 6.0 with commit cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa and fixed in 6.18 with commit e5eba42f01340f73888dfe560be2806057c25913 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-68209 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/infiniband/hw/mlx5/cq.c drivers/net/ethernet/mellanox/mlx5/core/cq.c drivers/net/ethernet/mellanox/mlx5/core/en_main.c drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c drivers/net/ethernet/mellanox/mlx5/core/steering/hws/send.c drivers/net/ethernet/mellanox/mlx5/core/steering/sws/dr_send.c drivers/vdpa/mlx5/net/mlx5_vnet.c include/linux/mlx5/cq.h Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/08469f5393a1a39f26a6e2eb2e8c33187665c1f4 https://git.kernel.org/stable/c/e5eba42f01340f73888dfe560be2806057c25913
Powered by blists - more mailing lists