CVE-2026-45907 (GCVE-0-2026-45907)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-05-27 12:17
VLAI
Title
net/mlx5e: Fix deadlocks between devlink and netdev instance locks
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix deadlocks between devlink and netdev instance locks In the mentioned "Fixes" commit, various work tasks triggering devlink health reporter recovery were switched to use netdev_trylock to protect against concurrent tear down of the channels being recovered. But this had the side effect of introducing potential deadlocks because of incorrect lock ordering. The correct lock order is described by the init flow: probe_one -> mlx5_init_one (acquires devlink lock) -> mlx5_init_one_devl_locked -> mlx5_register_device -> mlx5_rescan_drivers_locked -...-> mlx5e_probe -> _mlx5e_probe -> register_netdev (acquires rtnl lock) -> register_netdevice (acquires netdev lock) => devlink lock -> rtnl lock -> netdev lock. But in the current recovery flow, the order is wrong: mlx5e_tx_err_cqe_work (acquires netdev lock) -> mlx5e_reporter_tx_err_cqe -> mlx5e_health_report -> devlink_health_report (acquires devlink lock => boom!) -> devlink_health_reporter_recover -> mlx5e_tx_reporter_recover -> mlx5e_tx_reporter_recover_from_ctx -> mlx5e_tx_reporter_err_cqe_recover The same pattern exists in: mlx5e_reporter_rx_timeout mlx5e_reporter_tx_ptpsq_unhealthy mlx5e_reporter_tx_timeout Fix these by moving the netdev_trylock calls from the work handlers lower in the call stack, in the respective recovery functions, where they are actually necessary.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8f7b00307bf14676b7e7f0210110a36aa0ff3e93 , < 4329514c61abefe4961541b128c549b017bab5ad (git)
Affected: 8f7b00307bf14676b7e7f0210110a36aa0ff3e93 , < 63f9d5fb4d8040077df801ca3270e2f02d55e0d9 (git)
Affected: 8f7b00307bf14676b7e7f0210110a36aa0ff3e93 , < 83ac0304a2d77519dae1e54c9713cbe1aedf19c9 (git)
Create a notification for this product.
Linux Linux Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.18.14 , ≤ 6.18.* (semver)
Unaffected: 6.19.4 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4329514c61abefe4961541b128c549b017bab5ad",
              "status": "affected",
              "version": "8f7b00307bf14676b7e7f0210110a36aa0ff3e93",
              "versionType": "git"
            },
            {
              "lessThan": "63f9d5fb4d8040077df801ca3270e2f02d55e0d9",
              "status": "affected",
              "version": "8f7b00307bf14676b7e7f0210110a36aa0ff3e93",
              "versionType": "git"
            },
            {
              "lessThan": "83ac0304a2d77519dae1e54c9713cbe1aedf19c9",
              "status": "affected",
              "version": "8f7b00307bf14676b7e7f0210110a36aa0ff3e93",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix deadlocks between devlink and netdev instance locks\n\nIn the mentioned \"Fixes\" commit, various work tasks triggering devlink\nhealth reporter recovery were switched to use netdev_trylock to protect\nagainst concurrent tear down of the channels being recovered. But this\nhad the side effect of introducing potential deadlocks because of\nincorrect lock ordering.\n\nThe correct lock order is described by the init flow:\nprobe_one -\u003e mlx5_init_one (acquires devlink lock)\n-\u003e mlx5_init_one_devl_locked -\u003e mlx5_register_device\n-\u003e mlx5_rescan_drivers_locked -...-\u003e mlx5e_probe -\u003e _mlx5e_probe\n-\u003e register_netdev (acquires rtnl lock)\n-\u003e register_netdevice (acquires netdev lock)\n=\u003e devlink lock -\u003e rtnl lock -\u003e netdev lock.\n\nBut in the current recovery flow, the order is wrong:\nmlx5e_tx_err_cqe_work (acquires netdev lock)\n-\u003e mlx5e_reporter_tx_err_cqe -\u003e mlx5e_health_report\n-\u003e devlink_health_report (acquires devlink lock =\u003e boom!)\n-\u003e devlink_health_reporter_recover\n-\u003e mlx5e_tx_reporter_recover -\u003e mlx5e_tx_reporter_recover_from_ctx\n-\u003e mlx5e_tx_reporter_err_cqe_recover\n\nThe same pattern exists in:\nmlx5e_reporter_rx_timeout\nmlx5e_reporter_tx_ptpsq_unhealthy\nmlx5e_reporter_tx_timeout\n\nFix these by moving the netdev_trylock calls from the work handlers\nlower in the call stack, in the respective recovery functions, where\nthey are actually necessary."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:17:20.424Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4329514c61abefe4961541b128c549b017bab5ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/63f9d5fb4d8040077df801ca3270e2f02d55e0d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/83ac0304a2d77519dae1e54c9713cbe1aedf19c9"
        }
      ],
      "title": "net/mlx5e: Fix deadlocks between devlink and netdev instance locks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45907",
    "datePublished": "2026-05-27T12:17:20.424Z",
    "dateReserved": "2026-05-13T15:03:33.084Z",
    "dateUpdated": "2026-05-27T12:17:20.424Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45907",
      "date": "2026-05-29",
      "epss": "0.00017",
      "percentile": "0.04336"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45907\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:05.233\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/mlx5e: Fix deadlocks between devlink and netdev instance locks\\n\\nIn the mentioned \\\"Fixes\\\" commit, various work tasks triggering devlink\\nhealth reporter recovery were switched to use netdev_trylock to protect\\nagainst concurrent tear down of the channels being recovered. But this\\nhad the side effect of introducing potential deadlocks because of\\nincorrect lock ordering.\\n\\nThe correct lock order is described by the init flow:\\nprobe_one -\u003e mlx5_init_one (acquires devlink lock)\\n-\u003e mlx5_init_one_devl_locked -\u003e mlx5_register_device\\n-\u003e mlx5_rescan_drivers_locked -...-\u003e mlx5e_probe -\u003e _mlx5e_probe\\n-\u003e register_netdev (acquires rtnl lock)\\n-\u003e register_netdevice (acquires netdev lock)\\n=\u003e devlink lock -\u003e rtnl lock -\u003e netdev lock.\\n\\nBut in the current recovery flow, the order is wrong:\\nmlx5e_tx_err_cqe_work (acquires netdev lock)\\n-\u003e mlx5e_reporter_tx_err_cqe -\u003e mlx5e_health_report\\n-\u003e devlink_health_report (acquires devlink lock =\u003e boom!)\\n-\u003e devlink_health_reporter_recover\\n-\u003e mlx5e_tx_reporter_recover -\u003e mlx5e_tx_reporter_recover_from_ctx\\n-\u003e mlx5e_tx_reporter_err_cqe_recover\\n\\nThe same pattern exists in:\\nmlx5e_reporter_rx_timeout\\nmlx5e_reporter_tx_ptpsq_unhealthy\\nmlx5e_reporter_tx_timeout\\n\\nFix these by moving the netdev_trylock calls from the work handlers\\nlower in the call stack, in the respective recovery functions, where\\nthey are actually necessary.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4329514c61abefe4961541b128c549b017bab5ad\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/63f9d5fb4d8040077df801ca3270e2f02d55e0d9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/83ac0304a2d77519dae1e54c9713cbe1aedf19c9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.