FKIE_CVE-2025-68790

Vulnerability from fkie_nvd - Published: 2026-01-13 16:16 - Updated: 2026-04-15 00:35
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix double unregister of HCA_PORTS component Clear hca_devcom_comp in device's private data after unregistering it in LAG teardown. Otherwise a slightly lagging second pass through mlx5_unload_one() might try to unregister it again and trip over use-after-free. On s390 almost all PCI level recovery events trigger two passes through mxl5_unload_one() - one through the poll_health() method and one through mlx5_pci_err_detected() as callback from generic PCI error recovery. While testing PCI error recovery paths with more kernel debug features enabled, this issue reproducibly led to kernel panics with the following call chain: Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI Fault in home space mode while using kernel ASCE. AS:00000000705c4007 R3:0000000000000024 Oops: 0038 ilc:3 [#1]SMP CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted 6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000 0000000000000000 0000000000000000 0000000000000001 0000000000000000 0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100 0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8 Krnl Code: 0000020fc86aa1cc: e3b003400004 lg %r11,832 0000020fc86aa1d2: a7840211 brc 8,0000020fc86aa5f4 *0000020fc86aa1d6: c09000df0b25 larl %r9,0000020fca28b820 >0000020fc86aa1dc: d50790002000 clc 0(8,%r9),0(%r2) 0000020fc86aa1e2: a7840209 brc 8,0000020fc86aa5f4 0000020fc86aa1e6: c0e001100401 larl %r14,0000020fca8aa9e8 0000020fc86aa1ec: c01000e25a00 larl %r1,0000020fca2f55ec 0000020fc86aa1f2: a7eb00e8 aghi %r14,232 Call Trace: __lock_acquire+0x5c/0x15f0 lock_acquire.part.0+0xf8/0x270 lock_acquire+0xb0/0x1b0 down_write+0x5a/0x250 mlx5_detach_device+0x42/0x110 [mlx5_core] mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core] mlx5_unload_one+0x42/0x60 [mlx5_core] mlx5_pci_err_detected+0x94/0x150 [mlx5_core] zpci_event_attempt_error_recovery+0xcc/0x388
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6a107cfe9c99a079e578a4c5eb70038101a3599f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d2495f529d60e8e8c43e6ad524089c38b8be7bc4
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix double unregister of HCA_PORTS component\n\nClear hca_devcom_comp in device\u0027s private data after unregistering it in\nLAG teardown. Otherwise a slightly lagging second pass through\nmlx5_unload_one() might try to unregister it again and trip over\nuse-after-free.\n\nOn s390 almost all PCI level recovery events trigger two passes through\nmxl5_unload_one() - one through the poll_health() method and one through\nmlx5_pci_err_detected() as callback from generic PCI error recovery.\nWhile testing PCI error recovery paths with more kernel debug features\nenabled, this issue reproducibly led to kernel panics with the following\ncall chain:\n\n Unable to handle kernel pointer dereference in virtual kernel address space\n Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI\n Fault in home space mode while using kernel ASCE.\n AS:00000000705c4007 R3:0000000000000024\n Oops: 0038 ilc:3 [#1]SMP\n\n CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted\n      6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT\n\n Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0)\n            R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\n Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000\n            0000000000000000 0000000000000000 0000000000000001 0000000000000000\n            0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100\n            0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8\n Krnl Code: 0000020fc86aa1cc: e3b003400004        lg      %r11,832\n            0000020fc86aa1d2: a7840211           brc     8,0000020fc86aa5f4\n           *0000020fc86aa1d6: c09000df0b25       larl    %r9,0000020fca28b820\n           \u003e0000020fc86aa1dc: d50790002000       clc     0(8,%r9),0(%r2)\n            0000020fc86aa1e2: a7840209           brc     8,0000020fc86aa5f4\n            0000020fc86aa1e6: c0e001100401       larl    %r14,0000020fca8aa9e8\n            0000020fc86aa1ec: c01000e25a00       larl    %r1,0000020fca2f55ec\n            0000020fc86aa1f2: a7eb00e8           aghi    %r14,232\n\n Call Trace:\n  __lock_acquire+0x5c/0x15f0\n  lock_acquire.part.0+0xf8/0x270\n  lock_acquire+0xb0/0x1b0\n  down_write+0x5a/0x250\n  mlx5_detach_device+0x42/0x110 [mlx5_core]\n  mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core]\n  mlx5_unload_one+0x42/0x60 [mlx5_core]\n  mlx5_pci_err_detected+0x94/0x150 [mlx5_core]\n  zpci_event_attempt_error_recovery+0xcc/0x388"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/mlx5: Solucionar el doble desregistro del componente HCA_PORTS\n\nBorrar hca_devcom_comp en los datos privados del dispositivo despu\u00e9s de desregistrarlo en la desactivaci\u00f3n de LAG. De lo contrario, una segunda pasada ligeramente retrasada a trav\u00e9s de mlx5_unload_one() podr\u00eda intentar desregistrarlo de nuevo y tropezar con un uso despu\u00e9s de liberaci\u00f3n.\n\nEn s390, casi todos los eventos de recuperaci\u00f3n a nivel de PCI desencadenan dos pasadas a trav\u00e9s de mxl5_unload_one(): una a trav\u00e9s del m\u00e9todo poll_health() y otra a trav\u00e9s de mlx5_pci_err_detected() como devoluci\u00f3n de llamada de la recuperaci\u00f3n gen\u00e9rica de errores de PCI. Mientras se probaban las rutas de recuperaci\u00f3n de errores de PCI con m\u00e1s funciones de depuraci\u00f3n del kernel habilitadas, este problema condujo de forma reproducible a p\u00e1nicos del kernel con la siguiente cadena de llamadas:\n\nUnable to handle kernel pointer dereference in virtual kernel address space\nFailing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI\nFault in home space mode while using kernel ASCE.\nAS:00000000705c4007 R3:0000000000000024\nOops: 0038 ilc:3 [#1]SMP\n\nCPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted\n     6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT\n\nKrnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0)\n           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3\nKrnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000\n           0000000000000000 0000000000000000 0000000000000001 0000000000000000\n           0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100\n           0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8\nKrnl Code: 0000020fc86aa1cc: e3b003400004        lg      %r11,832\n           0000020fc86aa1d2: a7840211           brc     8,0000020fc86aa5f4\n          *0000020fc86aa1d6: c09000df0b25       larl    %r9,0000020fca28b820\n          \u0026gt;0000020fc86aa1dc: d50790002000       clc     0(8,%r9),0(%r2)\n           0000020fc86aa1e2: a7840209           brc     8,0000020fc86aa5f4\n           0000020fc86aa1e6: c0e001100401       larl    %r14,0000020fca8aa9e8\n           0000020fc86aa1ec: c01000e25a00       larl    %r1,0000020fca2f55ec\n           0000020fc86aa1f2: a7eb00e8           aghi    %r14,232\n\nCall Trace:\n __lock_acquire+0x5c/0x15f0\n lock_acquire.part.0+0xf8/0x270\n lock_acquire+0xb0/0x1b0\n down_write+0x5a/0x250\n mlx5_detach_device+0x42/0x110 [mlx5_core]\n mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core]\n mlx5_unload_one+0x42/0x60 [mlx5_core]\n mlx5_pci_err_detected+0x94/0x150 [mlx5_core]\n zpci_event_attempt_error_recovery+0xcc/0x388"
    }
  ],
  "id": "CVE-2025-68790",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {},
  "published": "2026-01-13T16:16:00.880",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/6a107cfe9c99a079e578a4c5eb70038101a3599f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d2495f529d60e8e8c43e6ad524089c38b8be7bc4"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.