CVE-2026-43467 in Linux
요약
\~에 의해 VulDB • 2026. 05. 23.
Based on the kernel crash dump provided, here is an analysis of the issue:
### **Summary** The system experienced a **kernel panic** (or oops) in the **Mellanox ConnectX (mlx5_core)** driver. The crash occurred while attempting to **disable IPsec events** during the process of changing the eswitch mode or loading a vport representation.
### **Key Stack Trace Analysis** 1. **Crash Location**: * `complete_all+0x20/0x90`: The crash happened inside the `complete_all()` function, which is used to wake up threads waiting on a completion variable. * This suggests a **race condition**, **use-after-free**, or **invalid memory access** when signaling a completion event.
2. **Call Chain**: * `mlx5e_ipsec_disable_events` → The driver was trying to disable IPsec-related events. * `mlx5e_nic_disable` → This was part of disabling the NIC interface. * `mlx5e_detach_netdev` → Detaching the network device. * `mlx5e_netdev_change_profile` → Changing the network profile (likely due to eswitch mode change). * `mlx5e_vport_rep_load` → Loading a vport representation. * `__esw_offloads_load_rep` → Loading eswitch offloads. * `esw_offloads_enable` → Enabling eswitch offloads. * `mlx5_eswitch_enable_locked` → Enabling the eswitch. * `mlx5_devlink_eswitch_mode_set` → **Trigger**: The operation was initiated via `devlink` to change the eswitch mode (e.g., from legacy to switchdev or vice versa).
### **Root Cause Hypothesis** The most likely causes are: 1. **Race Condition in IPsec Event Handling**: The `mlx5e_ipsec_disable_events` function may be accessing a completion structure that has already been freed or is in an inconsistent state. This can happen if the IPsec offload teardown is not properly synchronized with the eswitch mode change. 2. **Use-After-Free**: The `mlx5e_vport_rep` or associated resources might have been freed prematurely while `mlx5e_ipsec_disable_events` was still trying to signal a completion. 3. **Bug in Specific Kernel Version**: This looks like a known issue in certain versions of the `mlx5_core` driver, particularly around eswitch mode changes and IPsec offload interactions.
### **Recommended Actions** 1. **Update Kernel/Driver**: * Check if there is a newer kernel version or a specific Mellanox OFED driver update that fixes this issue. This type of race condition is often patched in newer upstream kernels. * Look for commits related to `mlx5e_ipsec_disable_events` or `mlx5_eswitch` in the Linux kernel git log.
2. **Workaround**: * Avoid changing the eswitch mode (via `devlink`) while IPsec offloads are active. * If possible, disable IPsec offloads before changing the eswitch mode: ```bash # Example: Disable IPsec offload before changing eswitch mode ip link set dev <interface> type mlx5e ipsec offload disable devlink dev eswitch set pci/<BDF> mode legacy # or switchdev, as needed ```
3. **Debugging**: * Enable kernel debugging symbols (`CONFIG_DEBUG_INFO=y`) to get more precise line numbers. * Check `dmesg` for any prior warnings about IPsec or eswitch issues. * Reproduce the issue with `CONFIG_LOCKDEP=y` to detect lock inversion or race conditions.
### **Relevant Kernel Commits (Search Terms)** Search for these terms in the Linux kernel git log: * `mlx5e ipsec disable events` * `mlx5 eswitch mode change race` * `mlx5e complete_all`
If you are using a specific kernel version (e.g., 5.15, 6.1, etc.), please provide it for more targeted advice.
VulDB is the best source for vulnerability data and more expert information about this specific topic.