CVE-2026-23000

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix crash on profile change rollback failure<br /> <br /> mlx5e_netdev_change_profile can fail to attach a new profile and can<br /> fail to rollback to old profile, in such case, we could end up with a<br /> dangling netdev with a fully reset netdev_priv. A retry to change<br /> profile, e.g. another attempt to call mlx5e_netdev_change_profile via<br /> switchdev mode change, will crash trying to access the now NULL<br /> priv-&gt;mdev.<br /> <br /> This fix allows mlx5e_netdev_change_profile() to handle previous<br /> failures and an empty priv, by not assuming priv is valid.<br /> <br /> Pass netdev and mdev to all flows requiring<br /> mlx5e_netdev_change_profile() and avoid passing priv.<br /> In mlx5e_netdev_change_profile() check if current priv is valid, and if<br /> not, just attach the new profile without trying to access the old one.<br /> <br /> This fixes the following oops, when enabling switchdev mode for the 2nd<br /> time after first time failure:<br /> <br /> ## Enabling switchdev mode first time:<br /> <br /> mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload<br /> workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR<br /> mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12<br /> mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12<br /> workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR<br /> mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12<br /> mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12<br /> ^^^^^^^^<br /> mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)<br /> <br /> ## retry: Enabling switchdev mode 2nd time:<br /> <br /> mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload<br /> BUG: kernel NULL pointer dereference, address: 0000000000000038<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014<br /> RIP: 0010:mlx5e_detach_netdev+0x3c/0x90<br /> Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07<br /> RSP: 0018:ffffc90000673890 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000<br /> RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000<br /> RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000<br /> R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000<br /> R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000<br /> FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0<br /> Call Trace:<br /> <br /> mlx5e_netdev_change_profile+0x45/0xb0<br /> mlx5e_vport_rep_load+0x27b/0x2d0<br /> mlx5_esw_offloads_rep_load+0x72/0xf0<br /> esw_offloads_enable+0x5d0/0x970<br /> mlx5_eswitch_enable_locked+0x349/0x430<br /> ? is_mp_supported+0x57/0xb0<br /> mlx5_devlink_eswitch_mode_set+0x26b/0x430<br /> devlink_nl_eswitch_set_doit+0x6f/0xf0<br /> genl_family_rcv_msg_doit+0xe8/0x140<br /> genl_rcv_msg+0x18b/0x290<br /> ? __pfx_devlink_nl_pre_doit+0x10/0x10<br /> ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10<br /> ? __pfx_devlink_nl_post_doit+0x10/0x10<br /> ? __pfx_genl_rcv_msg+0x10/0x10<br /> netlink_rcv_skb+0x52/0x100<br /> genl_rcv+0x28/0x40<br /> netlink_unicast+0x282/0x3e0<br /> ? __alloc_skb+0xd6/0x190<br /> netlink_sendmsg+0x1f7/0x430<br /> __sys_sendto+0x213/0x220<br /> ? __sys_recvmsg+0x6a/0xd0<br /> __x64_sys_sendto+0x24/0x30<br /> do_syscall_64+0x50/0x1f0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7fdfb8495047