Wind River Support Network

HomeDefectsLIN1024-11159
Acknowledged

LIN1024-11159 : Security Advisory - linux - CVE-2025-39726

Created: Sep 7, 2025    Updated: Sep 9, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]s390/ism: fix concurrency management in ism_cmd()[EOL][EOL]The s390x ISM device data sheet clearly states that only one[EOL]request-response sequence is allowable per ISM function at any point in[EOL]time.  Unfortunately as of today the s390/ism driver in Linux does not[EOL]honor that requirement. This patch aims to rectify that.[EOL][EOL]This problem was discovered based on Aliaksei's bug report which states[EOL]that for certain workloads the ISM functions end up entering error state[EOL](with PEC 2 as seen from the logs) after a while and as a consequence[EOL]connections handled by the respective function break, and for future[EOL]connection requests the ISM device is not considered -- given it is in a[EOL]dysfunctional state. During further debugging PEC 3A was observed as[EOL]well.[EOL][EOL]A kernel message like[EOL][ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a[EOL]is a reliable indicator of the stated function entering error state[EOL]with PEC 2. Let me also point out that a kernel message like[EOL][ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery[EOL]is a reliable indicator that the ISM function won't be auto-recovered[EOL]because the ISM driver currently lacks support for it.[EOL][EOL]On a technical level, without this synchronization, commands (inputs to[EOL]the FW) may be partially or fully overwritten (corrupted) by another CPU[EOL]trying to issue commands on the same function. There is hard evidence that[EOL]this can lead to DMB token values being used as DMB IOVAs, leading to[EOL]PEC 2 PCI events indicating invalid DMA. But this is only one of the[EOL]failure modes imaginable. In theory even completely losing one command[EOL]and executing another one twice and then trying to interpret the outputs[EOL]as if the command we intended to execute was actually executed and not[EOL]the other one is also possible.  Frankly, I don't feel confident about[EOL]providing an exhaustive list of possible consequences.

CREATE(Triage):(User=admin) [CVE-2025-39726 (https://nvd.nist.gov/vuln/detail/CVE-2025-39726)
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube