CVE-2025-21675

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Clear port select structure when fail to create

Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5lagdestroydefiners() always try to destroy all lag definers in the ttmap, so in the flow below lag definers get double-destroyed and cause kernel crash:

mlx5lagportselcreate() mlx5lagcreatedefiners() mlx5lagcreatedefiner() <- Failed on tt 1 mlx5lagdestroydefiners() <- definers[tt=0] gets destroyed mlx5lagportselcreate() mlx5lagcreatedefiners() mlx5lagcreatedefiner() <- Failed on tt 0 mlx5lagdestroydefiners() <- definers[tt=0] gets double-destroyed

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: iptableraw bonding ipgre ip6gre gre ip6tunnel tunnel6 geneve ip6udptunnel udptunnel ipip tunnel4 iptunnel rdmaucm(OE) rdmacm(OE) iwcm(OE) ibipoib(OE) ibcm(OE) ibumad(OE) mlx5ib(OE) ibuverbs(OE) mlx5fwctl(OE) fwctl(OE) mlx5core(OE) mlxdevm(OE) ibcore(OE) mlxfw(OE) memtrack(OE) mlxcompat(OE) openvswitch nsh nfconncount psample xtconntrack xtMASQUERADE nfconntracknetlink nfnetlink xfrmuser xfrmalgo xtaddrtype iptablefilter iptablenat nfnat nfconntrack nfdefragipv6 nfdefragipv4 brnetfilter bridge stp llc netconsole overlay efipstore schfqcodel zram iptables crct10difce qemufwcfg fuse ipv6 crcccitt [last unloaded: mlxcompat(OE)] CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2 Tainted: [O]=OOTMODULE, [E]=UNSIGNEDMODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Workqueue: mlx5lag mlx5dobondwork [mlx5core] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlx5delflowrules+0x24/0x2c0 [mlx5core] lr : mlx5lagdestroydefiner+0x54/0x100 [mlx5core] sp : ffff800085fafb00 x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 Call trace: mlx5delflowrules+0x24/0x2c0 [mlx5core] mlx5lagdestroydefiner+0x54/0x100 [mlx5core] mlx5lagdestroydefiners+0xa0/0x108 [mlx5core] mlx5lagportselcreate+0x2d4/0x6f8 [mlx5core] mlx5activatelag+0x60c/0x6f8 [mlx5core] mlx5dobondwork+0x284/0x5c8 [mlx5core] processonework+0x170/0x3e0 workerthread+0x2d8/0x3e0 kthread+0x11c/0x128 retfromfork+0x10/0x20 Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) ---[ end trace 0000000000000000 ]---