CVE-2025-40250

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Clean up only new IRQ glue on request_irq() failure<br /> <br /> The mlx5_irq_alloc() function can inadvertently free the entire rmap<br /> and end up in a crash[1] when the other threads tries to access this,<br /> when request_irq() fails due to exhausted IRQ vectors. This commit<br /> modifies the cleanup to remove only the specific IRQ mapping that was<br /> just added.<br /> <br /> This prevents removal of other valid mappings and ensures precise<br /> cleanup of the failed IRQ allocation&amp;#39;s associated glue object.<br /> <br /> Note: This error is observed when both fwctl and rds configs are enabled.<br /> <br /> [1]<br /> mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1<br /> mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to<br /> request irq. err = -28<br /> infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while<br /> trying to test write-combining support<br /> mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1<br /> mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1<br /> mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to<br /> request irq. err = -28<br /> infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while<br /> trying to test write-combining support<br /> mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1<br /> mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to<br /> request irq. err = -28<br /> mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to<br /> request irq. err = -28<br /> general protection fault, probably for non-canonical address<br /> 0xe277a58fde16f291: 0000 [#1] SMP NOPTI<br /> <br /> RIP: 0010:free_irq_cpu_rmap+0x23/0x7d<br /> Call Trace:<br /> <br /> ? show_trace_log_lvl+0x1d6/0x2f9<br /> ? show_trace_log_lvl+0x1d6/0x2f9<br /> ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]<br /> ? __die_body.cold+0x8/0xa<br /> ? die_addr+0x39/0x53<br /> ? exc_general_protection+0x1c4/0x3e9<br /> ? dev_vprintk_emit+0x5f/0x90<br /> ? asm_exc_general_protection+0x22/0x27<br /> ? free_irq_cpu_rmap+0x23/0x7d<br /> mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]<br /> irq_pool_request_vector+0x7d/0x90 [mlx5_core]<br /> mlx5_irq_request+0x2e/0xe0 [mlx5_core]<br /> mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]<br /> comp_irq_request_pci+0x64/0xf0 [mlx5_core]<br /> create_comp_eq+0x71/0x385 [mlx5_core]<br /> ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]<br /> mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]<br /> ? xas_load+0x8/0x91<br /> mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]<br /> mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]<br /> mlx5e_open_channels+0xad/0x250 [mlx5_core]<br /> mlx5e_open_locked+0x3e/0x110 [mlx5_core]<br /> mlx5e_open+0x23/0x70 [mlx5_core]<br /> __dev_open+0xf1/0x1a5<br /> __dev_change_flags+0x1e1/0x249<br /> dev_change_flags+0x21/0x5c<br /> do_setlink+0x28b/0xcc4<br /> ? __nla_parse+0x22/0x3d<br /> ? inet6_validate_link_af+0x6b/0x108<br /> ? cpumask_next+0x1f/0x35<br /> ? __snmp6_fill_stats64.constprop.0+0x66/0x107<br /> ? __nla_validate_parse+0x48/0x1e6<br /> __rtnl_newlink+0x5ff/0xa57<br /> ? kmem_cache_alloc_trace+0x164/0x2ce<br /> rtnl_newlink+0x44/0x6e<br /> rtnetlink_rcv_msg+0x2bb/0x362<br /> ? __netlink_sendskb+0x4c/0x6c<br /> ? netlink_unicast+0x28f/0x2ce<br /> ? rtnl_calcit.isra.0+0x150/0x146<br /> netlink_rcv_skb+0x5f/0x112<br /> netlink_unicast+0x213/0x2ce<br /> netlink_sendmsg+0x24f/0x4d9<br /> __sock_sendmsg+0x65/0x6a<br /> ____sys_sendmsg+0x28f/0x2c9<br /> ? import_iovec+0x17/0x2b<br /> ___sys_sendmsg+0x97/0xe0<br /> __sys_sendmsg+0x81/0xd8<br /> do_syscall_64+0x35/0x87<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x0<br /> RIP: 0033:0x7fc328603727<br /> Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed<br /> ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 3d 00<br /> f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48<br /> RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e<br /> RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727<br /> RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d<br /> RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000<br /> R13: 00000000000<br /> ---truncated---