2404109 – (CVE-2025-39979) CVE-2025-39979 kernel: net/mlx5: fs, fix UAF in flow counter release

Bug 2404109 (CVE-2025-39979) - CVE-2025-39979 kernel: net/mlx5: fs, fix UAF in flow counter release

Summary: CVE-2025-39979 kernel: net/mlx5: fs, fix UAF in flow counter release

Keywords:
Status:	NEW
Alias:	CVE-2025-39979
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-15 08:02 UTC by OSIDB Bzimport
Modified:	2025-12-08 17:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:22854	0	None	None	None	2025-12-08 14:42:35 UTC
Red Hat Product Errata	RHSA-2025:22865	0	None	None	None	2025-12-08 17:59:38 UTC

Description OSIDB Bzimport 2025-10-15 08:02:33 UTC

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: fs, fix UAF in flow counter release

Fix a kernel trace [1] caused by releasing an HWS action of a local flow
counter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and
mutex were not initialized and the counter struct could already be freed
when deleting the rule.

Fix it by adding the missing initializations and adding refcount for the
local flow counter struct.

[1] Kernel log:
 Call Trace:
  <TASK>
  dump_stack_lvl+0x34/0x48
  mlx5_fs_put_hws_action.part.0.cold+0x21/0x94 [mlx5_core]
  mlx5_fc_put_hws_action+0x96/0xad [mlx5_core]
  mlx5_fs_destroy_fs_actions+0x8b/0x152 [mlx5_core]
  mlx5_cmd_hws_delete_fte+0x5a/0xa0 [mlx5_core]
  del_hw_fte+0x1ce/0x260 [mlx5_core]
  mlx5_del_flow_rules+0x12d/0x240 [mlx5_core]
  ? ttwu_queue_wakelist+0xf4/0x110
  mlx5_ib_destroy_flow+0x103/0x1b0 [mlx5_ib]
  uverbs_free_flow+0x20/0x50 [ib_uverbs]
  destroy_hw_idr_uobject+0x1b/0x50 [ib_uverbs]
  uverbs_destroy_uobject+0x34/0x1a0 [ib_uverbs]
  uobj_destroy+0x3c/0x80 [ib_uverbs]
  ib_uverbs_run_method+0x23e/0x360 [ib_uverbs]
  ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]
  ib_uverbs_cmd_verbs+0x14f/0x2c0 [ib_uverbs]
  ? do_tty_write+0x1a9/0x270
  ? file_tty_write.constprop.0+0x98/0xc0
  ? new_sync_write+0xfc/0x190
  ib_uverbs_ioctl+0xd7/0x160 [ib_uverbs]
  __x64_sys_ioctl+0x87/0xc0
  do_syscall_64+0x59/0x90

Comment 1 Alexander B 2025-10-16 10:56:59 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025101559-CVE-2025-39979-f1e9@gregkh/T

Comment 7 errata-xmlrpc 2025-12-08 14:42:33 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:22854 https://access.redhat.com/errata/RHSA-2025:22854

Comment 8 errata-xmlrpc 2025-12-08 17:59:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:22865 https://access.redhat.com/errata/RHSA-2025:22865

Note You need to log in before you can comment on or make changes to this bug.