{"id":"CVE-2025-40238","summary":"net/mlx5: Fix IPsec cleanup over MPV device","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix IPsec cleanup over MPV device\n\nWhen we do mlx5e_detach_netdev() we eventually disable blocking events\nnotifier, among those events are IPsec MPV events from IB to core.\n\nSo before disabling those blocking events, make sure to also unregister\nthe devcom device and mark all this device operations as complete,\nin order to prevent the other device from using invalid netdev\nduring future devcom events which could cause the trace below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nPGD 146427067 P4D 146427067 PUD 146488067 PMD 0\nOops: Oops: 0000 [#1] SMP\nCPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]\nCode: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 \u003c48\u003e 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40\nRSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206\nRAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00\nRDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000\nRBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000\nR10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600\nR13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80\nFS:  00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x20/0x60\n ? page_fault_oops+0x150/0x3e0\n ? exc_page_fault+0x74/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]\n mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core]\n mlx5_devcom_send_event+0x8c/0x170 [mlx5_core]\n blocking_event+0x17b/0x230 [mlx5_core]\n notifier_call_chain+0x35/0xa0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core]\n mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib]\n mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib]\n ? idr_alloc_cyclic+0x50/0xb0\n ? __kmalloc_cache_noprof+0x167/0x340\n ? __kmalloc_noprof+0x1a7/0x430\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe9/0x310 [mlx5_ib]\n ? kernfs_add_one+0x107/0x150\n ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]\n auxiliary_bus_probe+0x3e/0x90\n really_probe+0xc5/0x3a0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x62d/0x830\n __auxiliary_device_add+0x3b/0xa0\n ? auxiliary_device_init+0x41/0x90\n add_adev+0xd1/0x150 [mlx5_core]\n mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core]\n esw_mode_change+0x6c/0xc0 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core]\n devlink_nl_eswitch_set_doit+0x60/0xe0\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x180/0x2b0\n ? devlink_get_from_attrs_lock+0x170/0x170\n ? devlink_nl_eswitch_get_doit+0x290/0x290\n ? devlink_nl_pre_doit_port_optional+0x50/0x50\n ? genl_family_rcv_msg_dumpit+0xf0/0xf0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1fc/0x2d0\n netlink_sendmsg+0x1e4/0x410\n __sock_sendmsg+0x38/0x60\n ? sockfd_lookup_light+0x12/0x60\n __sys_sendto+0x105/0x160\n ? __sys_recvmsg+0x4e/0x90\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f27bc91b13a\nCode: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff \n---truncated---","modified":"2026-03-31T17:29:20.922106Z","published":"2025-12-04T15:31:28.243Z","related":["SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20145-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40238.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/664f76be38a18c61151d0ef248c7e2f3afb4f3c7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7e212cebc863c2c7a82f480446cd731721451691"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8956686d398eca6d324d2d164f9d2a281175a3a1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40238.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40238"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"82f9378c443c206d3f9e45844306e5270e7e4109"},{"fixed":"7e212cebc863c2c7a82f480446cd731721451691"},{"fixed":"8956686d398eca6d324d2d164f9d2a281175a3a1"},{"fixed":"664f76be38a18c61151d0ef248c7e2f3afb4f3c7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40238.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.56"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40238.json"}}],"schema_version":"1.7.5"}