CVE-2025-21970

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Bridge, fix the crash caused by LAG state check<br /> <br /> When removing LAG device from bridge, NETDEV_CHANGEUPPER event is<br /> triggered. Driver finds the lower devices (PFs) to flush all the<br /> offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns<br /> false if one of PF is unloaded. In such case,<br /> mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of<br /> the alive PF, and the flush is skipped.<br /> <br /> Besides, the bridge fdb entry&amp;#39;s lastuse is updated in mlx5 bridge<br /> event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be<br /> ignored in this case because the upper interface for bond is deleted,<br /> and the entry will never be aged because lastuse is never updated.<br /> <br /> To make things worse, as the entry is alive, mlx5 bridge workqueue<br /> keeps sending that event, which is then handled by kernel bridge<br /> notifier. It causes the following crash when accessing the passed bond<br /> netdev which is already destroyed.<br /> <br /> To fix this issue, remove such checks. LAG state is already checked in<br /> commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding<br /> bond to bridge"), driver still need to skip offload if LAG becomes<br /> invalid state after initialization.<br /> <br /> Oops: stack segment: 0000 [#1] SMP<br /> CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core]<br /> RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge]<br /> Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7<br /> RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297<br /> RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff<br /> RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0<br /> RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8<br /> R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60<br /> R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __die_body+0x1a/0x60<br /> ? die+0x38/0x60<br /> ? do_trap+0x10b/0x120<br /> ? do_error_trap+0x64/0xa0<br /> ? exc_stack_segment+0x33/0x50<br /> ? asm_exc_stack_segment+0x22/0x30<br /> ? br_switchdev_event+0x2c/0x110 [bridge]<br /> ? sched_balance_newidle.isra.149+0x248/0x390<br /> notifier_call_chain+0x4b/0xa0<br /> atomic_notifier_call_chain+0x16/0x20<br /> mlx5_esw_bridge_update+0xec/0x170 [mlx5_core]<br /> mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core]<br /> process_scheduled_works+0x81/0x390<br /> worker_thread+0x106/0x250<br /> ? bh_worker+0x110/0x110<br /> kthread+0xb7/0xe0<br /> ? kthread_park+0x80/0x80<br /> ret_from_fork+0x2d/0x50<br /> ? kthread_park+0x80/0x80<br /> ret_from_fork_asm+0x11/0x20<br />