{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error",
    "id" : "2348522",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348522"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nRDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error\nThis patch addresses a race condition for an ODP MR that can result in a\nCQE with an error on the UMR QP.\nDuring the __mlx5_ib_dereg_mr() flow, the following sequence of calls\noccurs:\nmlx5_revoke_mr()\nmlx5r_umr_revoke_mr()\nmlx5r_umr_post_send_wait()\nAt this point, the lkey is freed from the hardware's perspective.\nHowever, concurrently, mlx5_ib_invalidate_range() might be triggered by\nanother task attempting to invalidate a range for the same freed lkey.\nThis task will:\n- Acquire the umem_odp->umem_mutex lock.\n- Call mlx5r_umr_update_xlt() on the UMR QP.\n- Since the lkey has already been freed, this can lead to a CQE error,\ncausing the UMR QP to enter an error state [1].\nTo resolve this race condition, the umem_odp->umem_mutex lock is now also\nacquired as part of the mlx5_revoke_mr() scope.  Upon successful revoke,\nwe set umem_odp->private which points to that MR to NULL, preventing any\nfurther invalidation attempts on its lkey.\n[1] From dmesg:\ninfiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error\ncqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\ncqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\ncqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\ncqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2\nWARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\nModules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\nCPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\n[..]\nCall Trace:\n<TASK>\nmlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib]\nmlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib]\n__mmu_notifier_invalidate_range_start+0x1e1/0x240\nzap_page_range_single+0xf1/0x1a0\nmadvise_vma_behavior+0x677/0x6e0\ndo_madvise+0x1a2/0x4b0\n__x64_sys_madvise+0x25/0x30\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.8.1.el10_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21732\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21732\nhttps://lore.kernel.org/linux-cve-announce/2025022658-CVE-2025-21732-e800@gregkh/T" ],
  "name" : "CVE-2025-21732",
  "csaw" : false
}