CVE-2025-68209

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlx5: Fix default values in create CQ<br /> <br /> Currently, CQs without a completion function are assigned the<br /> mlx5_add_cq_to_tasklet function by default. This is problematic since<br /> only user CQs created through the mlx5_ib driver are intended to use<br /> this function.<br /> <br /> Additionally, all CQs that will use doorbells instead of polling for<br /> completions must call mlx5_cq_arm. However, the default CQ creation flow<br /> leaves a valid value in the CQ&amp;#39;s arm_db field, allowing FW to send<br /> interrupts to polling-only CQs in certain corner cases.<br /> <br /> These two factors would allow a polling-only kernel CQ to be triggered<br /> by an EQ interrupt and call a completion function intended only for user<br /> CQs, causing a null pointer exception.<br /> <br /> Some areas in the driver have prevented this issue with one-off fixes<br /> but did not address the root cause.<br /> <br /> This patch fixes the described issue by adding defaults to the create CQ<br /> flow. It adds a default dummy completion function to protect against<br /> null pointer exceptions, and it sets an invalid command sequence number<br /> by default in kernel CQs to prevent the FW from sending an interrupt to<br /> the CQ until it is armed. User CQs are responsible for their own<br /> initialization values.<br /> <br /> Callers of mlx5_core_create_cq are responsible for changing the<br /> completion function and arming the CQ per their needs.