Acknowledged
Created: Jul 4, 2025
Updated: Jul 8, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction[EOL][EOL]Upon RQ destruction if the firmware command fails which is the[EOL]last resource to be destroyed some SW resources were already cleaned[EOL]regardless of the failure.[EOL][EOL]Now properly rollback the object to its original state upon such failure.[EOL][EOL]In order to avoid a use-after free in case someone tries to destroy the[EOL]object again, which results in the following kernel trace:[EOL]refcount_t: underflow; use-after-free.[EOL]WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148[EOL]Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)[EOL]CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1[EOL]Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE[EOL]Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015[EOL]pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)[EOL]pc : refcount_warn_saturate+0xf4/0x148[EOL]lr : refcount_warn_saturate+0xf4/0x148[EOL]sp : ffff80008b81b7e0[EOL]x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001[EOL]x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00[EOL]x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000[EOL]x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006[EOL]x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f[EOL]x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78[EOL]x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90[EOL]x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff[EOL]x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000[EOL]x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600[EOL]Call trace:[EOL] refcount_warn_saturate+0xf4/0x148[EOL] mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib][EOL] mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib][EOL] mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib][EOL] ib_destroy_wq_user+0x30/0xc0 [ib_core][EOL] uverbs_free_wq+0x28/0x58 [ib_uverbs][EOL] destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs][EOL] uverbs_destroy_uobject+0x48/0x240 [ib_uverbs][EOL] __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs][EOL] uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs][EOL] ib_uverbs_close+0x2c/0x100 [ib_uverbs][EOL] __fput+0xd8/0x2f0[EOL] __fput_sync+0x50/0x70[EOL] __arm64_sys_close+0x40/0x90[EOL] invoke_syscall.constprop.0+0x74/0xd0[EOL] do_el0_svc+0x48/0xe8[EOL] el0_svc+0x44/0x1d0[EOL] el0t_64_sync_handler+0x120/0x130[EOL] el0t_64_sync+0x1a4/0x1a8
CREATE(Triage):(User=lchen-cn) [CVE-2025-38161 (https://nvd.nist.gov/vuln/detail/CVE-2025-38161)
