CVE-2025-39947

Summary

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Harden uplink netdev access against device unbind

The function mlx5_uplink_netdev_get() gets the uplink netdevice pointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can be removed and its pointer cleared when unbound from the mlx5_core.eth driver. This results in a NULL pointer, causing a kernel panic.

BUG: unable to handle page fault for address: 0000000000001300 at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core] Call Trace: <TASK> mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core] esw_offloads_enable+0x593/0x910 [mlx5_core] mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xd0 genl_family_rcv_msg_doit+0xe0/0x130 genl_rcv_msg+0x183/0x290 netlink_rcv_skb+0x4b/0xf0 genl_rcv+0x24/0x40 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 __sys_sendto+0x119/0x180 do_syscall_64+0x53/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Ensure the pointer is valid before use by checking it for NULL. If it is valid, immediately call netdev_hold() to take a reference, and preventing the netdevice from being freed while it is in use.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux7a9fb35e8c3a67145fca262c304de65cb2f83abf < 2cb17c88edd3a1c7aa6bc880dcdb35a6866fcb2eaffected
LinuxLinux7a9fb35e8c3a67145fca262c304de65cb2f83abf < d1f3db4e7a3be29fc17f01850f162363f919370daffected
LinuxLinux7a9fb35e8c3a67145fca262c304de65cb2f83abf < 8df354eb2dd63d111ed5ae2e956e0dbb22bcf93baffected
LinuxLinux7a9fb35e8c3a67145fca262c304de65cb2f83abf < 6b4be64fd9fec16418f365c2d8e47a7566e9eba5affected
LinuxLinux5.13affected
LinuxLinux0 < 5.13unaffected
LinuxLinux6.6.108 <= 6.6.*unaffected
LinuxLinux6.12.49 <= 6.12.*unaffected
LinuxLinux6.16.9 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

References