{ "threat_severity" : "Moderate", "public_date" : "2025-12-04T00:00:00Z", "bugzilla" : { "description" : "kernel: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy", "id" : "2418892", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2418892" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndevlink: rate: Unset parent pointer in devl_rate_nodes_destroy\nThe function devl_rate_nodes_destroy is documented to \"Unset parent for\nall rate objects\". However, it was only calling the driver-specific\n`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing\nthe parent's refcount, without actually setting the\n`devlink_rate->parent` pointer to NULL.\nThis leaves a dangling pointer in the `devlink_rate` struct, which cause\nrefcount error in netdevsim[1] and mlx5[2]. In addition, this is\ninconsistent with the behavior of `devlink_nl_rate_parent_node_set`,\nwhere the parent pointer is correctly cleared.\nThis patch fixes the issue by explicitly setting `devlink_rate->parent`\nto NULL after notifying the driver, thus fulfilling the function's\ndocumented behavior for all rate objects.\n[1]\nrepro steps:\necho 1 > /sys/bus/netdevsim/new_device\ndevlink dev eswitch set netdevsim/netdevsim1 mode switchdev\necho 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs\ndevlink port function rate add netdevsim/netdevsim1/test_node\ndevlink port function rate set netdevsim/netdevsim1/128 parent test_node\necho 1 > /sys/bus/netdevsim/del_device\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n\ndevl_rate_leaf_destroy+0x8d/0x90\n__nsim_dev_port_del+0x6c/0x70 [netdevsim]\nnsim_dev_reload_destroy+0x11c/0x140 [netdevsim]\nnsim_drv_remove+0x2b/0xb0 [netdevsim]\ndevice_release_driver_internal+0x194/0x1f0\nbus_remove_device+0xc6/0x130\ndevice_del+0x159/0x3c0\ndevice_unregister+0x1a/0x60\ndel_device_store+0x111/0x170 [netdevsim]\nkernfs_fop_write_iter+0x12e/0x1e0\nvfs_write+0x215/0x3d0\nksys_write+0x5f/0xd0\ndo_syscall_64+0x55/0x10f0\nentry_SYSCALL_64_after_hwframe+0x4b/0x53\n[2]\ndevlink dev eswitch set pci/0000:08:00.0 mode switchdev\ndevlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000\ndevlink port function rate add pci/0000:08:00.0/group1\ndevlink port function rate set pci/0000:08:00.0/32768 parent group1\nmodprobe -r mlx5_ib mlx5_fwctl mlx5_core\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n\ndevl_rate_leaf_destroy+0x8d/0x90\nmlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]\nmlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]\nmlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]\nmlx5_sf_esw_event+0xc4/0x120 [mlx5_core]\nnotifier_call_chain+0x33/0xa0\nblocking_notifier_call_chain+0x3b/0x50\nmlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]\nmlx5_eswitch_disable+0x63/0x90 [mlx5_core]\nmlx5_unload+0x1d/0x170 [mlx5_core]\nmlx5_uninit_one+0xa2/0x130 [mlx5_core]\nremove_one+0x78/0xd0 [mlx5_core]\npci_device_remove+0x39/0xa0\ndevice_release_driver_internal+0x194/0x1f0\nunbind_store+0x99/0xa0\nkernfs_fop_write_iter+0x12e/0x1e0\nvfs_write+0x215/0x3d0\nksys_write+0x5f/0xd0\ndo_syscall_64+0x53/0x1f0\nentry_SYSCALL_64_after_hwframe+0x4b/0x53", "A dangling pointer access problem was found while devl_rate_nodes_destroy in net/devlink/rate.c in devlink in the Linux Kernel. This flaw may allow an attacker to cause a denial of service." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1690", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.31.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1727", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "kernel-0:6.12.0-55.58.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1617", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.27.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1617", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.27.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2573", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.165.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2577", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.165.1.rt21.237.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2560", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.156.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2583", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.156.1.rt14.441.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-02-04T00:00:00Z", "advisory" : "RHSA-2026:1879", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.109.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-01-26T00:00:00Z", "advisory" : "RHSA-2026:1194", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.81.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40251\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40251\nhttps://lore.kernel.org/linux-cve-announce/2025120431-CVE-2025-40251-7db7@gregkh/T" ], "name" : "CVE-2025-40251", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }