CVE-2025-22091

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx5: Fix page_size variable overflow<br /> <br /> Change all variables storing mlx5_umem_mkc_find_best_pgsz() result to<br /> unsigned long to support values larger than 31 and avoid overflow.<br /> <br /> For example: If we try to register 4GB of memory that is contiguous in<br /> physical memory, the driver will optimize the page_size and try to use<br /> an mkey with 4GB entity size. The &amp;#39;unsigned int&amp;#39; page_size variable will<br /> overflow to &amp;#39;0&amp;#39; and we&amp;#39;ll hit the WARN_ON() in alloc_cacheable_mr().<br /> <br /> WARNING: CPU: 2 PID: 1203 at drivers/infiniband/hw/mlx5/mr.c:1124 alloc_cacheable_mr+0x22/0x580 [mlx5_ib]<br /> Modules linked in: mlx5_ib mlx5_core bonding ip6_gre ip6_tunnel tunnel6 ip_gre gre rdma_rxe rdma_ucm ib_uverbs ib_ipoib ib_umad rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm fuse ib_core [last unloaded: mlx5_core]<br /> CPU: 2 UID: 70878 PID: 1203 Comm: rdma_resource_l Tainted: G W 6.14.0-rc4-dirty #43<br /> Tainted: [W]=WARN<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:alloc_cacheable_mr+0x22/0x580 [mlx5_ib]<br /> Code: 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 41 52 53 48 83 ec 30 f6 46 28 04 4c 8b 77 08 75 21 0b 49 c7 c2 ea ff ff ff 48 8d 65 d0 4c 89 d0 5b 41 5a 41 5c 41<br /> RSP: 0018:ffffc900006ffac8 EFLAGS: 00010246<br /> RAX: 0000000004c0d0d0 RBX: ffff888217a22000 RCX: 0000000000100001<br /> RDX: 00007fb7ac480000 RSI: ffff8882037b1240 RDI: ffff8882046f0600<br /> RBP: ffffc900006ffb28 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 00000000000007e0 R11: ffffea0008011d40 R12: ffff8882037b1240<br /> R13: ffff8882046f0600 R14: ffff888217a22000 R15: ffffc900006ffe00<br /> FS: 00007fb7ed013340(0000) GS:ffff88885fd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fb7ed1d8000 CR3: 00000001fd8f6006 CR4: 0000000000772eb0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> ? __warn+0x81/0x130<br /> ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib]<br /> ? report_bug+0xfc/0x1e0<br /> ? handle_bug+0x55/0x90<br /> ? exc_invalid_op+0x17/0x70<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? alloc_cacheable_mr+0x22/0x580 [mlx5_ib]<br /> create_real_mr+0x54/0x150 [mlx5_ib]<br /> ib_uverbs_reg_mr+0x17f/0x2a0 [ib_uverbs]<br /> ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0xca/0x140 [ib_uverbs]<br /> ib_uverbs_run_method+0x6d0/0x780 [ib_uverbs]<br /> ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]<br /> ib_uverbs_cmd_verbs+0x19b/0x360 [ib_uverbs]<br /> ? walk_system_ram_range+0x79/0xd0<br /> ? ___pte_offset_map+0x1b/0x110<br /> ? __pte_offset_map_lock+0x80/0x100<br /> ib_uverbs_ioctl+0xac/0x110 [ib_uverbs]<br /> __x64_sys_ioctl+0x94/0xb0<br /> do_syscall_64+0x50/0x110<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7fb7ecf0737b<br /> Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 7d 2a 0f 00 f7 d8 64 89 01 48<br /> RSP: 002b:00007ffdbe03ecc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 00007ffdbe03edb8 RCX: 00007fb7ecf0737b<br /> RDX: 00007ffdbe03eda0 RSI: 00000000c0181b01 RDI: 0000000000000003<br /> RBP: 00007ffdbe03ed80 R08: 00007fb7ecc84010 R09: 00007ffdbe03eed4<br /> R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffdbe03eed4<br /> R13: 000000000000000c R14: 000000000000000c R15: 00007fb7ecc84150<br />