CVE-2025-39979

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: fs, fix UAF in flow counter release<br /> <br /> Fix a kernel trace [1] caused by releasing an HWS action of a local flow<br /> counter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and<br /> mutex were not initialized and the counter struct could already be freed<br /> when deleting the rule.<br /> <br /> Fix it by adding the missing initializations and adding refcount for the<br /> local flow counter struct.<br /> <br /> [1] Kernel log:<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x48<br /> mlx5_fs_put_hws_action.part.0.cold+0x21/0x94 [mlx5_core]<br /> mlx5_fc_put_hws_action+0x96/0xad [mlx5_core]<br /> mlx5_fs_destroy_fs_actions+0x8b/0x152 [mlx5_core]<br /> mlx5_cmd_hws_delete_fte+0x5a/0xa0 [mlx5_core]<br /> del_hw_fte+0x1ce/0x260 [mlx5_core]<br /> mlx5_del_flow_rules+0x12d/0x240 [mlx5_core]<br /> ? ttwu_queue_wakelist+0xf4/0x110<br /> mlx5_ib_destroy_flow+0x103/0x1b0 [mlx5_ib]<br /> uverbs_free_flow+0x20/0x50 [ib_uverbs]<br /> destroy_hw_idr_uobject+0x1b/0x50 [ib_uverbs]<br /> uverbs_destroy_uobject+0x34/0x1a0 [ib_uverbs]<br /> uobj_destroy+0x3c/0x80 [ib_uverbs]<br /> ib_uverbs_run_method+0x23e/0x360 [ib_uverbs]<br /> ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]<br /> ib_uverbs_cmd_verbs+0x14f/0x2c0 [ib_uverbs]<br /> ? do_tty_write+0x1a9/0x270<br /> ? file_tty_write.constprop.0+0x98/0xc0<br /> ? new_sync_write+0xfc/0x190<br /> ib_uverbs_ioctl+0xd7/0x160 [ib_uverbs]<br /> __x64_sys_ioctl+0x87/0xc0<br /> do_syscall_64+0x59/0x90