{"id":"CVE-2025-38109","summary":"net/mlx5: Fix ECVF vports unload on shutdown flow","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix ECVF vports unload on shutdown flow\n\nFix shutdown flow UAF when a virtual function is created on the embedded\nchip (ECVF) of a BlueField device. In such case the vport acl ingress\ntable is not properly destroyed.\n\nECVF functionality is independent of ecpf_vport_exists capability and\nthus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not\ntest it when enabling/disabling ECVF vports.\n\nkernel log:\n[] refcount_t: underflow; use-after-free.\n[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28\n   refcount_warn_saturate+0x124/0x220\n----------------\n[] Call trace:\n[] refcount_warn_saturate+0x124/0x220\n[] tree_put_node+0x164/0x1e0 [mlx5_core]\n[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]\n[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]\n[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]\n[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]\n[] esw_vport_cleanup+0x64/0x90 [mlx5_core]\n[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]\n[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]\n[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]\n[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]\n[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]\n[] mlx5_unload+0x40/0xc4 [mlx5_core]\n[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]\n[] mlx5_unload_one+0x3c/0x60 [mlx5_core]\n[] shutdown+0x7c/0xa4 [mlx5_core]\n[] pci_device_shutdown+0x3c/0xa0\n[] device_shutdown+0x170/0x340\n[] __do_sys_reboot+0x1f4/0x2a0\n[] __arm64_sys_reboot+0x2c/0x40\n[] invoke_syscall+0x78/0x100\n[] el0_svc_common.constprop.0+0x54/0x184\n[] do_el0_svc+0x30/0xac\n[] el0_svc+0x48/0x160\n[] el0t_64_sync_handler+0xa4/0x12c\n[] el0t_64_sync+0x1a4/0x1a8\n[] --[ end trace 9c4601d68c70030e ]---","modified":"2026-04-02T12:47:48.256085Z","published":"2025-07-03T08:35:19.240Z","related":["MGASA-2025-0218","MGASA-2025-0219","SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:03315-1","SUSE-SU-2025:03317-1","SUSE-SU-2025:03319-1","SUSE-SU-2025:03321-1","SUSE-SU-2025:03341-1","SUSE-SU-2025:03343-1","SUSE-SU-2025:03406-1","SUSE-SU-2025:03408-1","SUSE-SU-2025:03410-1","SUSE-SU-2025:03412-1","SUSE-SU-2025:03418-1","SUSE-SU-2025:03419-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:20722-1","SUSE-SU-2025:20723-1","SUSE-SU-2025:20724-1","SUSE-SU-2025:20725-1","SUSE-SU-2025:20726-1","SUSE-SU-2025:20727-1","SUSE-SU-2025:20728-1","SUSE-SU-2025:20729-1","SUSE-SU-2025:20730-1","SUSE-SU-2025:20731-1","SUSE-SU-2025:20733-1","SUSE-SU-2025:20734-1","SUSE-SU-2025:20735-1","SUSE-SU-2025:20737-1","SUSE-SU-2025:20738-1","SUSE-SU-2025:20768-1","SUSE-SU-2025:20769-1","SUSE-SU-2025:20770-1","SUSE-SU-2025:20771-1","SUSE-SU-2025:20772-1","SUSE-SU-2025:20774-1","SUSE-SU-2025:20784-1","SUSE-SU-2025:20785-1","SUSE-SU-2025:20786-1","SUSE-SU-2025:20787-1","SUSE-SU-2025:20788-1","SUSE-SU-2025:20789-1","SUSE-SU-2025:20790-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38109.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/24db585d369f949f698e03d7d8017e5ae19d0497"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5953ae44dfe5dbad374318875be834c3b7b71ee6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/687560d8a9a2d654829ad0da1ec24242f1de711d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da15ca0553325acf68039015f2f4db750c8e2b96"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38109.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38109"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a7719b29a82199b90ebbf355d3332e0fbfbf6045"},{"fixed":"5953ae44dfe5dbad374318875be834c3b7b71ee6"},{"fixed":"da15ca0553325acf68039015f2f4db750c8e2b96"},{"fixed":"24db585d369f949f698e03d7d8017e5ae19d0497"},{"fixed":"687560d8a9a2d654829ad0da1ec24242f1de711d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38109.json"}}],"schema_version":"1.7.5"}