{"id":"CVE-2025-21714","summary":"RDMA/mlx5: Fix implicit ODP use after free","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix implicit ODP use after free\n\nPrevent double queueing of implicit ODP mr destroy work by using\n__xa_cmpxchg() to make sure this is the only time we are destroying this\nspecific mr.\n\nWithout this change, we could try to invalidate this mr twice, which in\nturn could result in queuing a MR work destroy twice, and eventually the\nsecond work could execute after the MR was freed due to the first work,\ncausing a user after free and trace below.\n\n   refcount_t: underflow; use-after-free.\n   WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130\n   Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]\n   CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n   Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib]\n   RIP: 0010:refcount_warn_saturate+0x12b/0x130\n   Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff \u003c0f\u003e 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff\n   RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286\n   RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027\n   RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0\n   RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019\n   R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00\n   R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0\n   FS:  0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000\n   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n   CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0\n   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n   Call Trace:\n    \u003cTASK\u003e\n    ? refcount_warn_saturate+0x12b/0x130\n    free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib]\n    process_one_work+0x1cc/0x3c0\n    worker_thread+0x218/0x3c0\n    kthread+0xc6/0xf0\n    ret_from_fork+0x1f/0x30\n    \u003c/TASK\u003e","modified":"2026-05-18T05:56:14.673744315Z","published":"2025-02-27T02:07:25.570Z","related":["ALSA-2025:20518","SUSE-SU-2025:01919-1","SUSE-SU-2025:1177-1","SUSE-SU-2025:1178-1","SUSE-SU-2025:1180-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1195-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21714.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/7cc8f681f6d4ae4478ae0f60485fc768f2b450da"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d3d930411ce390e532470194296658a960887773"},{"type":"WEB","url":"https://git.kernel.org/stable/c/edfb65dbb9ffd3102f3ff4dd21316158e56f1976"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21714.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21714"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5256edcb98a14b11409a2d323f56a70a8b366363"},{"fixed":"7cc8f681f6d4ae4478ae0f60485fc768f2b450da"},{"fixed":"edfb65dbb9ffd3102f3ff4dd21316158e56f1976"},{"fixed":"d3d930411ce390e532470194296658a960887773"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21714.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"6.12.13"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.13.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21714.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}