2429074 – (CVE-2025-68779) CVE-2025-68779 kernel: net/mlx5e: Avoid unregistering PSP twice

Bug 2429074 (CVE-2025-68779) - CVE-2025-68779 kernel: net/mlx5e: Avoid unregistering PSP twice

Summary: CVE-2025-68779 kernel: net/mlx5e: Avoid unregistering PSP twice

Keywords:
Status:	NEW
Alias:	CVE-2025-68779
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-13 16:04 UTC by OSIDB Bzimport
Modified:	2026-01-15 01:16 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-13 16:04:52 UTC

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Avoid unregistering PSP twice

PSP is unregistered twice in:
_mlx5e_remove -> mlx5e_psp_unregister
mlx5e_nic_cleanup -> mlx5e_psp_unregister

This leads to a refcount underflow in some conditions:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0
[...]
 mlx5e_psp_unregister+0x26/0x50 [mlx5_core]
 mlx5e_nic_cleanup+0x26/0x90 [mlx5_core]
 mlx5e_remove+0xe6/0x1f0 [mlx5_core]
 auxiliary_bus_remove+0x18/0x30
 device_release_driver_internal+0x194/0x1f0
 bus_remove_device+0xc6/0x130
 device_del+0x159/0x3c0
 mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core]
[...]

Do not directly remove psp from the _mlx5e_remove path, the PSP cleanup
happens as part of profile cleanup.

Comment 1 Jon Moroney 2026-01-15 01:12:20 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011300-CVE-2025-68779-726e@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.