{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-21732","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.756Z","datePublished":"2025-02-27T02:12:10.626Z","dateUpdated":"2025-05-04T07:19:58.200Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:19:58.200Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error\n\nThis patch addresses a race condition for an ODP MR that can result in a\nCQE with an error on the UMR QP.\n\nDuring the __mlx5_ib_dereg_mr() flow, the following sequence of calls\noccurs:\n\nmlx5_revoke_mr()\n mlx5r_umr_revoke_mr()\n mlx5r_umr_post_send_wait()\n\nAt this point, the lkey is freed from the hardware's perspective.\n\nHowever, concurrently, mlx5_ib_invalidate_range() might be triggered by\nanother task attempting to invalidate a range for the same freed lkey.\n\nThis task will:\n - Acquire the umem_odp->umem_mutex lock.\n - Call mlx5r_umr_update_xlt() on the UMR QP.\n - Since the lkey has already been freed, this can lead to a CQE error,\n   causing the UMR QP to enter an error state [1].\n\nTo resolve this race condition, the umem_odp->umem_mutex lock is now also\nacquired as part of the mlx5_revoke_mr() scope.  Upon successful revoke,\nwe set umem_odp->private which points to that MR to NULL, preventing any\nfurther invalidation attempts on its lkey.\n\n[1] From dmesg:\n\n   infiniband rocep8s0f0: dump_cqe:277:(pid 0): WC error: 6, Message: memory bind operation error\n   cqe_dump: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n   cqe_dump: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n   cqe_dump: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n   cqe_dump: 00000030: 00 00 00 00 08 00 78 06 25 00 11 b9 00 0e dd d2\n\n   WARNING: CPU: 15 PID: 1506 at drivers/infiniband/hw/mlx5/umr.c:394 mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\n   Modules linked in: ip6table_mangle ip6table_natip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\n   CPU: 15 UID: 0 PID: 1506 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1626\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n   RIP: 0010:mlx5r_umr_post_send_wait+0x15a/0x2b0 [mlx5_ib]\n   [..]\n   Call Trace:\n   <TASK>\n   mlx5r_umr_update_xlt+0x23c/0x3e0 [mlx5_ib]\n   mlx5_ib_invalidate_range+0x2e1/0x330 [mlx5_ib]\n   __mmu_notifier_invalidate_range_start+0x1e1/0x240\n   zap_page_range_single+0xf1/0x1a0\n   madvise_vma_behavior+0x677/0x6e0\n   do_madvise+0x1a2/0x4b0\n   __x64_sys_madvise+0x25/0x30\n   do_syscall_64+0x6b/0x140\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/hw/mlx5/mr.c","drivers/infiniband/hw/mlx5/odp.c"],"versions":[{"version":"e6fb246ccafbdfc86e0750af021628132fdbceac","lessThan":"b13d32786acabf70a7b04ed24b7468fc3c82977c","status":"affected","versionType":"git"},{"version":"e6fb246ccafbdfc86e0750af021628132fdbceac","lessThan":"5297f5ddffef47b94172ab0d3d62270002a3dcc1","status":"affected","versionType":"git"},{"version":"e6fb246ccafbdfc86e0750af021628132fdbceac","lessThan":"abb604a1a9c87255c7a6f3b784410a9707baf467","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/infiniband/hw/mlx5/mr.c","drivers/infiniband/hw/mlx5/odp.c"],"versions":[{"version":"5.13","status":"affected"},{"version":"0","lessThan":"5.13","status":"unaffected","versionType":"semver"},{"version":"6.12.14","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.3","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.12.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.13.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b13d32786acabf70a7b04ed24b7468fc3c82977c"},{"url":"https://git.kernel.org/stable/c/5297f5ddffef47b94172ab0d3d62270002a3dcc1"},{"url":"https://git.kernel.org/stable/c/abb604a1a9c87255c7a6f3b784410a9707baf467"}],"title":"RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error","x_generator":{"engine":"bippy-1.2.0"}}}}