We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-38440

net/mlx5e: Fix race between DIM disable and net_dim()



Description

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race between DIM disable and net_dim() There's a race between disabling DIM and NAPI callbacks using the dim pointer on the RQ or SQ. If NAPI checks the DIM state bit and sees it still set, it assumes `rq->dim` or `sq->dim` is valid. But if DIM gets disabled right after that check, the pointer might already be set to NULL, leading to a NULL pointer dereference in net_dim(). Fix this by calling `synchronize_net()` before freeing the DIM context. This ensures all in-progress NAPI callbacks are finished before the pointer is cleared. Kernel log: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:net_dim+0x23/0x190 ... Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? common_interrupt+0xf/0xa0 ? sysvec_call_function_single+0xb/0x90 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? net_dim+0x23/0x190 ? mlx5e_poll_ico_cq+0x41/0x6f0 [mlx5_core] ? sysvec_apic_timer_interrupt+0xb/0x90 mlx5e_handle_rx_dim+0x92/0xd0 [mlx5_core] mlx5e_napi_poll+0x2cd/0xac0 [mlx5_core] ? mlx5e_poll_ico_cq+0xe5/0x6f0 [mlx5_core] busy_poll_stop+0xa2/0x200 ? mlx5e_napi_poll+0x1d9/0xac0 [mlx5_core] ? mlx5e_trigger_irq+0x130/0x130 [mlx5_core] __napi_busy_loop+0x345/0x3b0 ? sysvec_call_function_single+0xb/0x90 ? asm_sysvec_call_function_single+0x16/0x20 ? sysvec_apic_timer_interrupt+0xb/0x90 ? pcpu_free_area+0x1e4/0x2e0 napi_busy_loop+0x11/0x20 xsk_recvmsg+0x10c/0x130 sock_recvmsg+0x44/0x70 __sys_recvfrom+0xbc/0x130 ? __schedule+0x398/0x890 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... ---[ end trace 0000000000000000 ]--- ... ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Reserved 2025-04-16 | Published 2025-07-25 | Updated 2025-07-25 | Assigner Linux

Product status

Default status
unaffected

445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68 before 7581afc051542e11ccf3ade68acd01b7fb1a3cde
affected

445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68 before 2bc6fb90486e42dd80e660ef7a40c02b2516c6d6
affected

445a25f6e1a2f6a132b06af6ede4f3c9b5f9af68 before eb41a264a3a576dc040ee37c3d9d6b7e2d9be968
affected

Default status
affected

6.10
affected

Any version before 6.10
unaffected

6.12.39
unaffected

6.15.7
unaffected

6.16-rc6
unaffected

References

git.kernel.org/...c/7581afc051542e11ccf3ade68acd01b7fb1a3cde

git.kernel.org/...c/2bc6fb90486e42dd80e660ef7a40c02b2516c6d6

git.kernel.org/...c/eb41a264a3a576dc040ee37c3d9d6b7e2d9be968

cve.org (CVE-2025-38440)

nvd.nist.gov (CVE-2025-38440)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-38440

Support options

Helpdesk Chat, Email, Knowledgebase