Vulnerability-Lookup

GHSA-JPJ8-HW92-VQGG

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33

Details

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Fix deadlocks between devlink and netdev instance locks

In the mentioned "Fixes" commit, various work tasks triggering devlink health reporter recovery were switched to use netdev_trylock to protect against concurrent tear down of the channels being recovered. But this had the side effect of introducing potential deadlocks because of incorrect lock ordering.

The correct lock order is described by the init flow: probe_one -> mlx5_init_one (acquires devlink lock) -> mlx5_init_one_devl_locked -> mlx5_register_device -> mlx5_rescan_drivers_locked -...-> mlx5e_probe -> _mlx5e_probe -> register_netdev (acquires rtnl lock) -> register_netdevice (acquires netdev lock) => devlink lock -> rtnl lock -> netdev lock.

But in the current recovery flow, the order is wrong: mlx5e_tx_err_cqe_work (acquires netdev lock) -> mlx5e_reporter_tx_err_cqe -> mlx5e_health_report -> devlink_health_report (acquires devlink lock => boom!) -> devlink_health_reporter_recover -> mlx5e_tx_reporter_recover -> mlx5e_tx_reporter_recover_from_ctx -> mlx5e_tx_reporter_err_cqe_recover

The same pattern exists in: mlx5e_reporter_rx_timeout mlx5e_reporter_tx_ptpsq_unhealthy mlx5e_reporter_tx_timeout

Fix these by moving the netdev_trylock calls from the work handlers lower in the call stack, in the respective recovery functions, where they are actually necessary.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-45907"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:05Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix deadlocks between devlink and netdev instance locks\n\nIn the mentioned \"Fixes\" commit, various work tasks triggering devlink\nhealth reporter recovery were switched to use netdev_trylock to protect\nagainst concurrent tear down of the channels being recovered. But this\nhad the side effect of introducing potential deadlocks because of\nincorrect lock ordering.\n\nThe correct lock order is described by the init flow:\nprobe_one -\u003e mlx5_init_one (acquires devlink lock)\n-\u003e mlx5_init_one_devl_locked -\u003e mlx5_register_device\n-\u003e mlx5_rescan_drivers_locked -...-\u003e mlx5e_probe -\u003e _mlx5e_probe\n-\u003e register_netdev (acquires rtnl lock)\n-\u003e register_netdevice (acquires netdev lock)\n=\u003e devlink lock -\u003e rtnl lock -\u003e netdev lock.\n\nBut in the current recovery flow, the order is wrong:\nmlx5e_tx_err_cqe_work (acquires netdev lock)\n-\u003e mlx5e_reporter_tx_err_cqe -\u003e mlx5e_health_report\n-\u003e devlink_health_report (acquires devlink lock =\u003e boom!)\n-\u003e devlink_health_reporter_recover\n-\u003e mlx5e_tx_reporter_recover -\u003e mlx5e_tx_reporter_recover_from_ctx\n-\u003e mlx5e_tx_reporter_err_cqe_recover\n\nThe same pattern exists in:\nmlx5e_reporter_rx_timeout\nmlx5e_reporter_tx_ptpsq_unhealthy\nmlx5e_reporter_tx_timeout\n\nFix these by moving the netdev_trylock calls from the work handlers\nlower in the call stack, in the respective recovery functions, where\nthey are actually necessary.",
  "id": "GHSA-jpj8-hw92-vqgg",
  "modified": "2026-05-27T15:33:15Z",
  "published": "2026-05-27T15:33:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45907"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4329514c61abefe4961541b128c549b017bab5ad"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/63f9d5fb4d8040077df801ca3270e2f02d55e0d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/83ac0304a2d77519dae1e54c9713cbe1aedf19c9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2026-45907 (GCVE-0-2026-45907)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-05-27 12:17

Title

net/mlx5e: Fix deadlocks between devlink and netdev instance locks

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix deadlocks between devlink and netdev instance locks In the mentioned "Fixes" commit, various work tasks triggering devlink health reporter recovery were switched to use netdev_trylock to protect against concurrent tear down of the channels being recovered. But this had the side effect of introducing potential deadlocks because of incorrect lock ordering. The correct lock order is described by the init flow: probe_one -> mlx5_init_one (acquires devlink lock) -> mlx5_init_one_devl_locked -> mlx5_register_device -> mlx5_rescan_drivers_locked -...-> mlx5e_probe -> _mlx5e_probe -> register_netdev (acquires rtnl lock) -> register_netdevice (acquires netdev lock) => devlink lock -> rtnl lock -> netdev lock. But in the current recovery flow, the order is wrong: mlx5e_tx_err_cqe_work (acquires netdev lock) -> mlx5e_reporter_tx_err_cqe -> mlx5e_health_report -> devlink_health_report (acquires devlink lock => boom!) -> devlink_health_reporter_recover -> mlx5e_tx_reporter_recover -> mlx5e_tx_reporter_recover_from_ctx -> mlx5e_tx_reporter_err_cqe_recover The same pattern exists in: mlx5e_reporter_rx_timeout mlx5e_reporter_tx_ptpsq_unhealthy mlx5e_reporter_tx_timeout Fix these by moving the netdev_trylock calls from the work handlers lower in the call stack, in the respective recovery functions, where they are actually necessary.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/4329514c61abefe49…
https://git.kernel.org/stable/c/63f9d5fb4d8040077…
https://git.kernel.org/stable/c/83ac0304a2d77519d…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 8f7b00307bf14676b7e7f0210110a36aa0ff3e93 , < 4329514c61abefe4961541b128c549b017bab5ad (git) Affected: 8f7b00307bf14676b7e7f0210110a36aa0ff3e93 , < 63f9d5fb4d8040077df801ca3270e2f02d55e0d9 (git) Affected: 8f7b00307bf14676b7e7f0210110a36aa0ff3e93 , < 83ac0304a2d77519dae1e54c9713cbe1aedf19c9 (git)
Linux	Linux	Affected: 6.16 Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4329514c61abefe4961541b128c549b017bab5ad",
              "status": "affected",
              "version": "8f7b00307bf14676b7e7f0210110a36aa0ff3e93",
              "versionType": "git"
            },
            {
              "lessThan": "63f9d5fb4d8040077df801ca3270e2f02d55e0d9",
              "status": "affected",
              "version": "8f7b00307bf14676b7e7f0210110a36aa0ff3e93",
              "versionType": "git"
            },
            {
              "lessThan": "83ac0304a2d77519dae1e54c9713cbe1aedf19c9",
              "status": "affected",
              "version": "8f7b00307bf14676b7e7f0210110a36aa0ff3e93",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/ptp.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_rx.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix deadlocks between devlink and netdev instance locks\n\nIn the mentioned \"Fixes\" commit, various work tasks triggering devlink\nhealth reporter recovery were switched to use netdev_trylock to protect\nagainst concurrent tear down of the channels being recovered. But this\nhad the side effect of introducing potential deadlocks because of\nincorrect lock ordering.\n\nThe correct lock order is described by the init flow:\nprobe_one -\u003e mlx5_init_one (acquires devlink lock)\n-\u003e mlx5_init_one_devl_locked -\u003e mlx5_register_device\n-\u003e mlx5_rescan_drivers_locked -...-\u003e mlx5e_probe -\u003e _mlx5e_probe\n-\u003e register_netdev (acquires rtnl lock)\n-\u003e register_netdevice (acquires netdev lock)\n=\u003e devlink lock -\u003e rtnl lock -\u003e netdev lock.\n\nBut in the current recovery flow, the order is wrong:\nmlx5e_tx_err_cqe_work (acquires netdev lock)\n-\u003e mlx5e_reporter_tx_err_cqe -\u003e mlx5e_health_report\n-\u003e devlink_health_report (acquires devlink lock =\u003e boom!)\n-\u003e devlink_health_reporter_recover\n-\u003e mlx5e_tx_reporter_recover -\u003e mlx5e_tx_reporter_recover_from_ctx\n-\u003e mlx5e_tx_reporter_err_cqe_recover\n\nThe same pattern exists in:\nmlx5e_reporter_rx_timeout\nmlx5e_reporter_tx_ptpsq_unhealthy\nmlx5e_reporter_tx_timeout\n\nFix these by moving the netdev_trylock calls from the work handlers\nlower in the call stack, in the respective recovery functions, where\nthey are actually necessary."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:17:20.424Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4329514c61abefe4961541b128c549b017bab5ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/63f9d5fb4d8040077df801ca3270e2f02d55e0d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/83ac0304a2d77519dae1e54c9713cbe1aedf19c9"
        }
      ],
      "title": "net/mlx5e: Fix deadlocks between devlink and netdev instance locks",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45907",
    "datePublished": "2026-05-27T12:17:20.424Z",
    "dateReserved": "2026-05-13T15:03:33.084Z",
    "dateUpdated": "2026-05-27T12:17:20.424Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-JPJ8-HW92-VQGG

CVE-2026-45907 (GCVE-0-2026-45907)

Tags

Sightings

Nomenclature