CVE-2025-38161

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction<br /> <br /> Upon RQ destruction if the firmware command fails which is the<br /> last resource to be destroyed some SW resources were already cleaned<br /> regardless of the failure.<br /> <br /> Now properly rollback the object to its original state upon such failure.<br /> <br /> In order to avoid a use-after free in case someone tries to destroy the<br /> object again, which results in the following kernel trace:<br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148<br /> Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)<br /> CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1<br /> Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE<br /> Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015<br /> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : refcount_warn_saturate+0xf4/0x148<br /> lr : refcount_warn_saturate+0xf4/0x148<br /> sp : ffff80008b81b7e0<br /> x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001<br /> x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00<br /> x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000<br /> x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006<br /> x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f<br /> x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78<br /> x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90<br /> x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff<br /> x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000<br /> x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600<br /> Call trace:<br /> refcount_warn_saturate+0xf4/0x148<br /> mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]<br /> mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]<br /> mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]<br /> ib_destroy_wq_user+0x30/0xc0 [ib_core]<br /> uverbs_free_wq+0x28/0x58 [ib_uverbs]<br /> destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]<br /> uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]<br /> __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]<br /> uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]<br /> ib_uverbs_close+0x2c/0x100 [ib_uverbs]<br /> __fput+0xd8/0x2f0<br /> __fput_sync+0x50/0x70<br /> __arm64_sys_close+0x40/0x90<br /> invoke_syscall.constprop.0+0x74/0xd0<br /> do_el0_svc+0x48/0xe8<br /> el0_svc+0x44/0x1d0<br /> el0t_64_sync_handler+0x120/0x130<br /> el0t_64_sync+0x1a4/0x1a8