CVE-2025-22086

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow<br /> <br /> When cur_qp isn&amp;#39;t NULL, in order to avoid fetching the QP from<br /> the radix tree again we check if the next cqe QP is identical to<br /> the one we already have.<br /> <br /> The bug however is that we are checking if the QP is identical by<br /> checking the QP number inside the CQE against the QP number inside the<br /> mlx5_ib_qp, but that&amp;#39;s wrong since the QP number from the CQE is from<br /> FW so it should be matched against mlx5_core_qp which is our FW QP<br /> number.<br /> <br /> Otherwise we could use the wrong QP when handling a CQE which could<br /> cause the kernel trace below.<br /> <br /> This issue is mainly noticeable over QPs 0 &amp; 1, since for now they are<br /> the only QPs in our driver whereas the QP number inside mlx5_ib_qp<br /> doesn&amp;#39;t match the QP number inside mlx5_core_qp.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000012<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP<br /> CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]<br /> RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]<br /> Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21<br /> RSP: 0018:ffff88810511bd60 EFLAGS: 00010046<br /> RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a<br /> RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10<br /> R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000<br /> R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0<br /> FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0<br /> Call Trace:<br /> <br /> ? __die+0x20/0x60<br /> ? page_fault_oops+0x150/0x3e0<br /> ? exc_page_fault+0x74/0x130<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]<br /> __ib_process_cq+0x5a/0x150 [ib_core]<br /> ib_cq_poll_work+0x31/0x90 [ib_core]<br /> process_one_work+0x169/0x320<br /> worker_thread+0x288/0x3a0<br /> ? work_busy+0xb0/0xb0<br /> kthread+0xd7/0x1f0<br /> ? kthreads_online_cpu+0x130/0x130<br /> ? kthreads_online_cpu+0x130/0x130<br /> ret_from_fork+0x2d/0x50<br /> ? kthreads_online_cpu+0x130/0x130<br /> ret_from_fork_asm+0x11/0x20<br />