CVE-2025-40251
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent's refcount, without actually setting the `devlink_rate->parent` pointer to NULL. This leaves a dangling pointer in the `devlink_rate` struct, which cause refcount error in netdevsim[1] and mlx5[2]. In addition, this is inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, where the parent pointer is correctly cleared. This patch fixes the issue by explicitly setting `devlink_rate->parent` to NULL after notifying the driver, thus fulfilling the function's documented behavior for all rate objects. [1] repro steps: echo 1 > /sys/bus/netdevsim/new_device devlink dev eswitch set netdevsim/netdevsim1 mode switchdev echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs devlink port function rate add netdevsim/netdevsim1/test_node devlink port function rate set netdevsim/netdevsim1/128 parent test_node echo 1 > /sys/bus/netdevsim/del_device dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 __nsim_dev_port_del+0x6c/0x70 [netdevsim] nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] nsim_drv_remove+0x2b/0xb0 [netdevsim] device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 device_unregister+0x1a/0x60 del_device_store+0x111/0x170 [netdevsim] kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x55/0x10f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [2] devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 devlink port function rate add pci/0000:08:00.0/group1 devlink port function rate set pci/0000:08:00.0/32768 parent group1 modprobe -r mlx5_ib mlx5_fwctl mlx5_core dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] notifier_call_chain+0x33/0xa0 blocking_notifier_call_chain+0x3b/0x50 mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] mlx5_eswitch_disable+0x63/0x90 [mlx5_core] mlx5_unload+0x1d/0x170 [mlx5_core] mlx5_uninit_one+0xa2/0x130 [mlx5_core] remove_one+0x78/0xd0 [mlx5_core] pci_device_remove+0x39/0xa0 device_release_driver_internal+0x194/0x1f0 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x53/0x1f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2025-12-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40251
EUVD
EUVD-2025-201206
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel 6.18
linux linux_kernel From 6.13 (inc) to 6.17.10 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.60 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.118 (exc)
linux linux_kernel From 5.14 (inc) to 6.1.164 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel involves the devlink rate subsystem where the function devl_rate_nodes_destroy was supposed to unset the parent pointer for all rate objects. However, it failed to actually set the devlink_rate->parent pointer to NULL after decrementing the parent's reference count. This left a dangling pointer in the devlink_rate structure, causing reference count errors and potential memory leaks in components like netdevsim and mlx5 drivers. The issue was fixed by explicitly setting the parent pointer to NULL as intended.


How can this vulnerability impact me? :

This vulnerability can lead to reference count errors and memory leaks in the Linux kernel networking components, specifically in netdevsim and mlx5 drivers. Such memory management issues could cause instability or crashes in systems using these components, potentially affecting network device functionality and reliability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by reproducing the error conditions that cause refcount warnings in the kernel logs (dmesg). For netdevsim devices, you can run the following commands to trigger the issue and check dmesg for refcount warnings: 1. echo 1 > /sys/bus/netdevsim/new_device 2. devlink dev eswitch set netdevsim/netdevsim1 mode switchdev 3. echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs 4. devlink port function rate add netdevsim/netdevsim1/test_node 5. devlink port function rate set netdevsim/netdevsim1/128 parent test_node 6. echo 1 > /sys/bus/netdevsim/del_device For mlx5 devices, use: 1. devlink dev eswitch set pci/0000:08:00.0 mode switchdev 2. devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 3. devlink port function rate add pci/0000:08:00.0/group1 4. devlink port function rate set pci/0000:08:00.0/32768 parent group1 5. modprobe -r mlx5_ib mlx5_fwctl mlx5_core Then check dmesg for warnings like "refcount_t: decrement hit 0; leaking memory." which indicate the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves applying the patch that explicitly sets the devlink_rate->parent pointer to NULL after notifying the driver, as this fixes the dangling pointer issue. Until the patch is applied, avoid operations that trigger devl_rate_nodes_destroy on affected devices (netdevsim and mlx5) such as adding/removing rate nodes or unloading related kernel modules. Monitoring dmesg for refcount warnings can help identify if the issue is occurring. Updating the Linux kernel to a version that includes this fix is the recommended long-term mitigation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart