CVE-2026-43466
Received Received - Intake
DMA FIFO Desync in Linux Kernel mlx5e Driver

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer. After recovery, the producer pushes new DMA entries at the old dma_fifo_pc, while the consumer reads from position 0. This causes us to unmap stale DMA addresses from before the recovery. The DMA FIFO is a purely software construct with no HW counterpart. At the point of reset, all WQEs have been flushed so dma_fifo_cc is already equal to dma_fifo_pc. There is no need to reset either counter, similar to how skb_fifo pc/cc are untouched. Remove the 'dma_fifo_cc = 0' reset. This fixes the following WARNING: WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 Call Trace: <IRQ> ? __warn+0x7d/0x110 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0x16d/0x180 ? handle_bug+0x4f/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 ? iommu_dma_unmap_page+0x2e/0x90 dma_unmap_page_attrs+0x10d/0x1b0 mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] __napi_poll+0x24/0x190 net_rx_action+0x32a/0x3b0 ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] ? notifier_call_chain+0x35/0xa0 handle_softirqs+0xc9/0x270 irq_exit_rcu+0x71/0xd0 common_interrupt+0x7f/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43466
EUVD
EUVD-2026-28772
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mlx5 mlx5e From 6.13.0-rc5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's mlx5e network driver related to DMA FIFO synchronization during error recovery.

When a transmit (TX) error completion queue entry (CQE) occurs, a recovery process resets the dma_fifo_cc counter to zero but does not reset the dma_fifo_pc counter. This causes a desynchronization between the DMA FIFO producer and consumer pointers.

After recovery, the producer continues to push new DMA entries at the old dma_fifo_pc position, while the consumer reads from position zero, leading to unmapping of stale DMA addresses from before the recovery.

The fix removes the unnecessary reset of dma_fifo_cc to zero, aligning with the fact that at reset all work queue entries have been flushed and the counters are already synchronized.


How can this vulnerability impact me? :

This vulnerability can cause improper handling of DMA memory mappings during error recovery in the mlx5e network driver.

Specifically, it may lead to unmapping of stale DMA addresses, which could cause system instability, warnings, or crashes related to memory management in the network driver.

Such issues could affect network performance or reliability on systems using the affected driver.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a WARNING message in the kernel logs related to DMA unmapping in the mlx5e driver. Detection involves monitoring system logs for the specific warning:

  • WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90

You can detect this issue by checking the kernel log messages using commands such as:

  • dmesg | grep -i iommu_dma_unmap_page
  • journalctl -k | grep -i iommu_dma_unmap_page
  • journalctl -k | grep -i mlx5e

These commands help identify the warning messages indicating the DMA FIFO desynchronization issue in the mlx5e driver.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by a kernel patch that corrects the DMA FIFO counters reset behavior in the mlx5e driver. Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability (post 6.13.0-rc5 or the version containing the patch).
  • Monitor kernel logs for the warning message to detect if the issue is occurring.
  • If updating the kernel immediately is not possible, consider disabling or limiting the use of the mlx5e driver or related hardware until the patch can be applied.

Since this is a software-level fix in the kernel driver, applying the updated kernel is the recommended and effective mitigation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information about CVE-2026-43466 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart