CVE-2026-45973
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
RDMA/mlx5: Fix UMR hang in LAG error state unload<br />
<br />
During firmware reset in LAG mode, a race condition causes the driver<br />
to hang indefinitely while waiting for UMR completion during device<br />
unload. See [1].<br />
<br />
In LAG mode the bond device is only registered on the master, so it<br />
never sees sys_error events from the slave.<br />
During firmware reset this causes UMR waits to hang forever on unload<br />
as the slave is dead but the master hasn&#39;t entered error state yet, so<br />
UMR posts succeed but completions never arrive.<br />
<br />
Fix this by adding a sys_error notifier that gets registered before<br />
MLX5_IB_STAGE_IB_REG and stays alive until after ib_unregister_device().<br />
This ensures error events reach the bond device throughout teardown.<br />
<br />
[1]<br />
Call Trace:<br />
__schedule+0x2bd/0x760<br />
schedule+0x37/0xa0<br />
schedule_preempt_disabled+0xa/0x10<br />
__mutex_lock.isra.6+0x2b5/0x4a0<br />
__mlx5_ib_dereg_mr+0x606/0x870 [mlx5_ib]<br />
? __xa_erase+0x4a/0xa0<br />
? _cond_resched+0x15/0x30<br />
? wait_for_completion+0x31/0x100<br />
ib_dereg_mr_user+0x48/0xc0 [ib_core]<br />
? rdmacg_uncharge_hierarchy+0xa0/0x100<br />
destroy_hw_idr_uobject+0x20/0x50 [ib_uverbs]<br />
uverbs_destroy_uobject+0x37/0x150 [ib_uverbs]<br />
__uverbs_cleanup_ufile+0xda/0x140 [ib_uverbs]<br />
uverbs_destroy_ufile_hw+0x3a/0xf0 [ib_uverbs]<br />
ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs]<br />
remove_client_context+0x8b/0xd0 [ib_core]<br />
disable_device+0x8c/0x130 [ib_core]<br />
__ib_unregister_device+0x10d/0x180 [ib_core]<br />
ib_unregister_device+0x21/0x30 [ib_core]<br />
__mlx5_ib_remove+0x1e4/0x1f0 [mlx5_ib]<br />
auxiliary_bus_remove+0x1e/0x30<br />
device_release_driver_internal+0x103/0x1f0<br />
bus_remove_device+0xf7/0x170<br />
device_del+0x181/0x410<br />
mlx5_rescan_drivers_locked.part.10+0xa9/0x1d0 [mlx5_core]<br />
mlx5_disable_lag+0x253/0x260 [mlx5_core]<br />
mlx5_lag_disable_change+0x89/0xc0 [mlx5_core]<br />
mlx5_eswitch_disable+0x67/0xa0 [mlx5_core]<br />
mlx5_unload+0x15/0xd0 [mlx5_core]<br />
mlx5_unload_one+0x71/0xc0 [mlx5_core]<br />
mlx5_sync_reset_reload_work+0x83/0x100 [mlx5_core]<br />
process_one_work+0x1a7/0x360<br />
worker_thread+0x30/0x390<br />
? create_worker+0x1a0/0x1a0<br />
kthread+0x116/0x130<br />
? kthread_flush_work_fn+0x10/0x10<br />
ret_from_fork+0x22/0x40
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.64 (incluyendo) | 6.7 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11.11 (incluyendo) | 6.12 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.12.2 (incluyendo) | 6.12.75 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



