| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow\n\nWhen cur_qp isn't NULL, in order to avoid fetching the QP from\nthe radix tree again we check if the next cqe QP is identical to\nthe one we already have.\n\nThe bug however is that we are checking if the QP is identical by\nchecking the QP number inside the CQE against the QP number inside the\nmlx5_ib_qp, but that's wrong since the QP number from the CQE is from\nFW so it should be matched against mlx5_core_qp which is our FW QP\nnumber.\n\nOtherwise we could use the wrong QP when handling a CQE which could\ncause the kernel trace below.\n\nThis issue is mainly noticeable over QPs 0 & 1, since for now they are\nthe only QPs in our driver whereas the QP number inside mlx5_ib_qp\ndoesn't match the QP number inside mlx5_core_qp.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000012\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP\n CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]\n RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]\n Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21\n RSP: 0018:ffff88810511bd60 EFLAGS: 00010046\n RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a\n RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10\n R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000\n R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0\n FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0\n Call Trace:\n <TASK>\n ? __die+0x20/0x60\n ? page_fault_oops+0x150/0x3e0\n ? exc_page_fault+0x74/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]\n __ib_process_cq+0x5a/0x150 [ib_core]\n ib_cq_poll_work+0x31/0x90 [ib_core]\n process_one_work+0x169/0x320\n worker_thread+0x288/0x3a0\n ? work_busy+0xb0/0xb0\n kthread+0xd7/0x1f0\n ? kthreads_online_cpu+0x130/0x130\n ? kthreads_online_cpu+0x130/0x130\n ret_from_fork+0x2d/0x50\n ? kthreads_online_cpu+0x130/0x130\n ret_from_fork_asm+0x11/0x20\n </TASK>" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/infiniband/hw/mlx5/cq.c" |
| ], |
| "versions": [ |
| { |
| "version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", |
| "lessThan": "3b97d77049856865ac5ce8ffbc6e716928310f7f", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", |
| "lessThan": "856d9e5d72dc44eca6d5a153581c58fbd84e92e1", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", |
| "lessThan": "f0447ceb8a31d79bee7144f98f9a13f765531e1a", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", |
| "lessThan": "dc7139b7031d877acd73d7eff55670f22f48cd5e", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", |
| "lessThan": "7c51a6964b45b6d40027abd77e89cef30d26dc5a", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", |
| "lessThan": "cad677085274ecf9c7565b5bfc5d2e49acbf174c", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", |
| "lessThan": "55c65a64aefa6267b964d90e9a4039cb68ec73a5", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", |
| "lessThan": "d52636eb13ccba448a752964cc6fc49970912874", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c", |
| "lessThan": "5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "drivers/infiniband/hw/mlx5/cq.c" |
| ], |
| "versions": [ |
| { |
| "version": "3.11", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "3.11", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.4.292", |
| "lessThanOrEqual": "5.4.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.236", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.180", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.1.134", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.87", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12.23", |
| "lessThanOrEqual": "6.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.13.11", |
| "lessThanOrEqual": "6.13.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.14.2", |
| "lessThanOrEqual": "6.14.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.15", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.11", |
| "versionEndExcluding": "5.4.292" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.11", |
| "versionEndExcluding": "5.10.236" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.11", |
| "versionEndExcluding": "5.15.180" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.11", |
| "versionEndExcluding": "6.1.134" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.11", |
| "versionEndExcluding": "6.6.87" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.11", |
| "versionEndExcluding": "6.12.23" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.11", |
| "versionEndExcluding": "6.13.11" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.11", |
| "versionEndExcluding": "6.14.2" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "3.11", |
| "versionEndExcluding": "6.15" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/3b97d77049856865ac5ce8ffbc6e716928310f7f" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/856d9e5d72dc44eca6d5a153581c58fbd84e92e1" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/f0447ceb8a31d79bee7144f98f9a13f765531e1a" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/dc7139b7031d877acd73d7eff55670f22f48cd5e" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/7c51a6964b45b6d40027abd77e89cef30d26dc5a" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/cad677085274ecf9c7565b5bfc5d2e49acbf174c" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/55c65a64aefa6267b964d90e9a4039cb68ec73a5" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d52636eb13ccba448a752964cc6fc49970912874" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd" |
| } |
| ], |
| "title": "RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2025-22086", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
