Overview
CVE-2025-40251 describes a vulnerability in the Linux kernel related to the handling of devlink rate objects. Specifically, the devl_rate_nodes_destroy function failed to properly clear the parent pointer of rate objects during destruction, leading to a dangling pointer and subsequent refcount errors. This issue could potentially lead to a memory leak and system instability.
Technical Details
The vulnerability resides within the devl_rate_nodes_destroy function in the Linux kernel’s networking subsystem. This function is responsible for unsetting the parent of all rate objects. However, the original implementation only decremented the parent’s refcount via driver-specific operations (rate_leaf_parent_set or rate_node_parent_set) but did not explicitly set the devlink_rate->parent pointer to NULL. This left a dangling pointer, which was detected by refcount mechanisms during object destruction, triggering warnings and potential memory leaks.
The fix involves explicitly setting devlink_rate->parent to NULL after notifying the driver. This ensures that the pointer is cleared and prevents the dangling pointer issue.
The following kernel components are involved:
net/devlink/rate.c
CVSS Analysis
As of the current information available, the CVE has a CVSS score of N/A. This may change as more information becomes available. However, given the potential for memory leaks and system instability, it’s considered a significant issue.
Possible Impact
The primary impact of this vulnerability is a memory leak, potentially leading to system instability over time. The issue manifests as refcount errors during the destruction of network devices or modules utilizing the devlink subsystem. Example scenarios triggering the bug include:
- Unloading network device drivers (e.g., mlx5).
- Removing virtual functions (VFs) created with netdevsim.
The provided reproduction steps using netdevsim and mlx5 drivers demonstrate the vulnerability, resulting in “refcount_t: decrement hit 0; leaking memory” errors in the kernel logs.
Mitigation and Patch Steps
The recommended mitigation is to apply the patch that fixes this vulnerability. This patch is available in various stable kernel releases. Upgrade your kernel to a version containing the fix, or apply the patch manually if necessary.
The patch explicitly sets the devlink_rate->parent pointer to NULL after notifying the driver, resolving the dangling pointer issue.
To check if your system is affected, examine the kernel logs (e.g., dmesg) for “refcount_t: decrement hit 0; leaking memory” errors related to devl_rate_leaf_destroy or similar functions after performing actions like unloading network modules or removing virtual functions.
