CVE-2025-40250
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-40250
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40250.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-40250
- Downstream
- Published
- 2025-12-04T16:08:12.984Z
- Modified
- 2025-12-05T12:35:02.760034Z
- Summary
- net/mlx5: Clean up only new IRQ glue on request_irq() failure
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Clean up only new IRQ glue on request_irq() failure
The mlx5irqalloc() function can inadvertently free the entire rmap and end up in a crash[1] when the other threads tries to access this, when request_irq() fails due to exhausted IRQ vectors. This commit modifies the cleanup to remove only the specific IRQ mapping that was just added.
This prevents removal of other valid mappings and ensures precise cleanup of the failed IRQ allocation's associated glue object.
Note: This error is observed when both fwctl and rds configs are enabled.
[1] mlx5core 0000:05:00.0: Successfully registered panic handler for port 1 mlx5core 0000:05:00.0: mlx5irqalloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx50: mlx5ibtestwc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5core 0000:05:00.0: Successfully unregistered panic handler for port 1 mlx5core 0000:06:00.0: Successfully registered panic handler for port 1 mlx5core 0000:06:00.0: mlx5irqalloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx50: mlx5ibtestwc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5core 0000:06:00.0: Successfully unregistered panic handler for port 1 mlx5core 0000:03:00.0: mlx5irqalloc:293:(pid 28895): Failed to request irq. err = -28 mlx5core 0000:05:00.0: mlx5irqalloc:293:(pid 28895): Failed to request irq. err = -28 general protection fault, probably for non-canonical address 0xe277a58fde16f291: 0000 [#1] SMP NOPTI
RIP: 0010:freeirqcpurmap+0x23/0x7d Call Trace: <TASK> ? showtraceloglvl+0x1d6/0x2f9 ? showtraceloglvl+0x1d6/0x2f9 ? mlx5irqalloc.cold+0x5d/0xf3 [mlx5core] ? diebody.cold+0x8/0xa ? dieaddr+0x39/0x53 ? excgeneralprotection+0x1c4/0x3e9 ? devvprintkemit+0x5f/0x90 ? asmexcgeneralprotection+0x22/0x27 ? freeirqcpurmap+0x23/0x7d mlx5irqalloc.cold+0x5d/0xf3 [mlx5core] irqpoolrequestvector+0x7d/0x90 [mlx5core] mlx5irqrequest+0x2e/0xe0 [mlx5core] mlx5irqrequestvector+0xad/0xf7 [mlx5core] compirqrequestpci+0x64/0xf0 [mlx5core] createcompeq+0x71/0x385 [mlx5core] ? mlx5eopenxdpsq+0x11c/0x230 [mlx5core] mlx5compeqnget+0x72/0x90 [mlx5core] ? xasload+0x8/0x91 mlx5compirqnget+0x40/0x90 [mlx5core] mlx5eopenchannel+0x7d/0x3c7 [mlx5core] mlx5eopenchannels+0xad/0x250 [mlx5core] mlx5eopenlocked+0x3e/0x110 [mlx5core] mlx5eopen+0x23/0x70 [mlx5core] _devopen+0xf1/0x1a5 _devchangeflags+0x1e1/0x249 devchangeflags+0x21/0x5c dosetlink+0x28b/0xcc4 ? _nlaparse+0x22/0x3d ? inet6validatelinkaf+0x6b/0x108 ? cpumasknext+0x1f/0x35 ? _snmp6fillstats64.constprop.0+0x66/0x107 ? _nlavalidateparse+0x48/0x1e6 _rtnlnewlink+0x5ff/0xa57 ? kmemcachealloctrace+0x164/0x2ce rtnlnewlink+0x44/0x6e rtnetlinkrcvmsg+0x2bb/0x362 ? _netlinksendskb+0x4c/0x6c ? netlinkunicast+0x28f/0x2ce ? rtnlcalcit.isra.0+0x150/0x146 netlinkrcvskb+0x5f/0x112 netlinkunicast+0x213/0x2ce netlinksendmsg+0x24f/0x4d9 _socksendmsg+0x65/0x6a syssendmsg+0x28f/0x2c9 ? importiovec+0x17/0x2b _syssendmsg+0x97/0xe0 _syssendmsg+0x81/0xd8 dosyscall64+0x35/0x87 entrySYSCALL64afterhwframe+0x6e/0x0 RIP: 0033:0x7fc328603727 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48 RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIGRAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727 RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00000000000 ---truncated---
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40250.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/4d6b4bea8b80bfa13c903ba547538249e7c5e977
- https://git.kernel.org/stable/c/69e043bce09c9a77e5f55b9ac7505874a2a1a9f0
- https://git.kernel.org/stable/c/6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee
- https://git.kernel.org/stable/c/d47515af6cccd7484d8b0870376858c9848a18ec
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40250.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40250
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3354822cde5a9f72aa725b3c619188b149a71a33Fixed69e043bce09c9a77e5f55b9ac7505874a2a1a9f0Fixed6ebd02cf2dde11b86f89ea4c9f55179eab30d4eeFixed4d6b4bea8b80bfa13c903ba547538249e7c5e977Fixedd47515af6cccd7484d8b0870376858c9848a18ec