CVE-2025-40251
- Source
- https://cve.org/CVERecord?id=CVE-2025-40251
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40251.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40251
- Aliases
- Downstream
- Related
- Published
- 2025-12-04T16:08:13.710Z
- Modified
- 2026-02-06T11:58:44.533791Z
- Summary
- devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
devlink: rate: Unset parent pointer in devlratenodes_destroy
The function devlratenodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific
rate_leaf_parent_setorrate_node_parent_setops and decrementing the parent's refcount, without actually setting thedevlink_rate->parentpointer to NULL.This leaves a dangling pointer in the
devlink_ratestruct, which cause refcount error in netdevsim[1] and mlx5[2]. In addition, this is inconsistent with the behavior ofdevlink_nl_rate_parent_node_set, where the parent pointer is correctly cleared.This patch fixes the issue by explicitly setting
devlink_rate->parentto NULL after notifying the driver, thus fulfilling the function's documented behavior for all rate objects.[1] repro steps: echo 1 > /sys/bus/netdevsim/newdevice devlink dev eswitch set netdevsim/netdevsim1 mode switchdev echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriovnumvfs devlink port function rate add netdevsim/netdevsim1/testnode devlink port function rate set netdevsim/netdevsim1/128 parent testnode echo 1 > /sys/bus/netdevsim/del_device
dmesg: refcountt: decrement hit 0; leaking memory. WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcountwarnsaturate+0x42/0xe0 CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcountwarnsaturate+0x42/0xe0 Call Trace: <TASK> devlrateleafdestroy+0x8d/0x90 _nsimdevportdel+0x6c/0x70 [netdevsim] nsimdevreloaddestroy+0x11c/0x140 [netdevsim] nsimdrvremove+0x2b/0xb0 [netdevsim] devicereleasedriverinternal+0x194/0x1f0 busremovedevice+0xc6/0x130 devicedel+0x159/0x3c0 deviceunregister+0x1a/0x60 deldevicestore+0x111/0x170 [netdevsim] kernfsfopwriteiter+0x12e/0x1e0 vfswrite+0x215/0x3d0 ksyswrite+0x5f/0xd0 dosyscall64+0x55/0x10f0 entrySYSCALL64after_hwframe+0x4b/0x53
[2] devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 devlink port function rate add pci/0000:08:00.0/group1 devlink port function rate set pci/0000:08:00.0/32768 parent group1 modprobe -r mlx5ib mlx5fwctl mlx5_core
dmesg: refcountt: decrement hit 0; leaking memory. WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcountwarnsaturate+0x42/0xe0 CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7forupstreammindebug202510021244 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcountwarnsaturate+0x42/0xe0 Call Trace: <TASK> devlrateleafdestroy+0x8d/0x90 mlx5eswoffloadsdevlinkportunregister+0x33/0x60 [mlx5core] mlx5eswoffloadsunloadrep+0x3f/0x50 [mlx5core] mlx5eswitchunloadsfvport+0x40/0x90 [mlx5core] mlx5sfeswevent+0xc4/0x120 [mlx5core] notifiercallchain+0x33/0xa0 blockingnotifiercallchain+0x3b/0x50 mlx5eswitchdisablelocked+0x50/0x110 [mlx5core] mlx5eswitchdisable+0x63/0x90 [mlx5core] mlx5unload+0x1d/0x170 [mlx5core] mlx5uninitone+0xa2/0x130 [mlx5core] removeone+0x78/0xd0 [mlx5core] pcideviceremove+0x39/0xa0 devicereleasedriverinternal+0x194/0x1f0 unbindstore+0x99/0xa0 kernfsfopwriteiter+0x12e/0x1e0 vfswrite+0x215/0x3d0 ksyswrite+0x5f/0xd0 dosyscall64+0x53/0x1f0 entrySYSCALL64after_hwframe+0x4b/0x53
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40251.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/542f45486f1ce2d2dde75bd85aca0389ef7046c3
- https://git.kernel.org/stable/c/715d9cda646a8a38ea8b2bb5afb679a7464055e2
- https://git.kernel.org/stable/c/c70df6c17d389cc743f0eb30160e2d6bc6910db8
- https://git.kernel.org/stable/c/f94c1a114ac209977bdf5ca841b98424295ab1f0
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40251.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40251
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd7555984507822458b32a6405881038241d140beFixed715d9cda646a8a38ea8b2bb5afb679a7464055e2Fixedc70df6c17d389cc743f0eb30160e2d6bc6910db8Fixed542f45486f1ce2d2dde75bd85aca0389ef7046c3Fixedf94c1a114ac209977bdf5ca841b98424295ab1f0