Overview
CVE-2025-40238 describes a vulnerability in the Linux kernel related to the Mellanox mlx5 driver. This flaw specifically impacts the proper cleanup of IPsec configurations when using Mellanox MPV (Multi-Port Virtualization) devices. Failure to properly handle the cleanup process could lead to a kernel panic, resulting in a denial-of-service condition. This article provides a detailed technical analysis of the vulnerability, its potential impact, and recommended mitigation steps.
Technical Details
The vulnerability occurs during the detachment of a network device (netdev) using the mlx5e_detach_netdev() function. This process disables blocking events notifier, including IPsec MPV events between the InfiniBand (IB) subsystem and the core networking stack. The core issue is that the devcom device is not unregistered and its operations marked as complete *before* disabling these blocking events. This timing issue could result in subsequent devcom events using an invalid (detached) netdev, leading to a null pointer dereference and a kernel panic.
The provided crash dump illustrates the problem:
BUG: kernel NULL pointer dereference, address: 0000000000000010
PGD 146427067 P4D 146427067 PUD 146488067 PMD 0
Oops: 0000 [#1] SMP
CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]
... (Call Trace omitted for brevity) ...
The crash occurs in the mlx5_devcom_comp_set_ready function, triggered by attempting to access memory at address 0x10 via a null pointer. The call trace indicates that the issue is related to IPsec MPV events and the devcom device framework.
CVSS Analysis
Due to the potential for a kernel panic and denial-of-service, this vulnerability would typically have a moderate to high severity rating. The exact CVSS score depends on factors such as exploitability, attack vector, and required privileges. However, because it requires a specific hardware configuration (Mellanox adapters with MPV) and IPsec, the CVSS score is not available (N/A).
Possible Impact
The primary impact of CVE-2025-40238 is a denial-of-service (DoS). A successful exploit could cause a kernel panic, forcing the system to restart. This could disrupt network services relying on the affected Mellanox adapter and IPsec configurations. While not directly enabling data breaches, the disruption can have secondary impacts, such as data loss due to unexpected shutdowns or availability impacts on critical services.
Mitigation or Patch Steps
The vulnerability is addressed by ensuring the devcom device is unregistered and its operations are marked as complete *before* disabling the blocking events notifier during the mlx5e_detach_netdev() function. This prevents the use of the invalid netdev during future devcom events.
To mitigate this vulnerability, apply the patch provided by the Linux kernel maintainers. This patch is available in the following kernel commits:
- Apply the patch. Upgrade to a kernel version containing the fix: versions including and newer than the kernels with the fixes applied.
