PT-2026-43840 · Linux · Linux
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-45973
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix UMR hang in LAG error state unload
During firmware reset in LAG mode, a race condition causes the driver
to hang indefinitely while waiting for UMR completion during device
unload. See [1].
In LAG mode the bond device is only registered on the master, so it
never sees sys error events from the slave.
During firmware reset this causes UMR waits to hang forever on unload
as the slave is dead but the master hasn't entered error state yet, so
UMR posts succeed but completions never arrive.
Fix this by adding a sys error notifier that gets registered before
MLX5 IB STAGE IB REG and stays alive until after ib unregister device().
This ensures error events reach the bond device throughout teardown.
[1]
Call Trace:
schedule+0x2bd/0x760
schedule+0x37/0xa0
schedule preempt disabled+0xa/0x10
mutex lock.isra.6+0x2b5/0x4a0
mlx5 ib dereg mr+0x606/0x870 [mlx5 ib]
? xa erase+0x4a/0xa0
? cond resched+0x15/0x30
? wait for completion+0x31/0x100
ib dereg mr user+0x48/0xc0 [ib core]
? rdmacg uncharge hierarchy+0xa0/0x100
destroy hw idr uobject+0x20/0x50 [ib uverbs]
uverbs destroy uobject+0x37/0x150 [ib uverbs]
uverbs cleanup ufile+0xda/0x140 [ib uverbs]
uverbs destroy ufile hw+0x3a/0xf0 [ib uverbs]
ib uverbs remove one+0xc3/0x140 [ib uverbs]
remove client context+0x8b/0xd0 [ib core]
disable device+0x8c/0x130 [ib core]
ib unregister device+0x10d/0x180 [ib core]
ib unregister device+0x21/0x30 [ib core]
mlx5 ib remove+0x1e4/0x1f0 [mlx5 ib]
auxiliary bus remove+0x1e/0x30
device release driver internal+0x103/0x1f0
bus remove device+0xf7/0x170
device del+0x181/0x410
mlx5 rescan drivers locked.part.10+0xa9/0x1d0 [mlx5 core]
mlx5 disable lag+0x253/0x260 [mlx5 core]
mlx5 lag disable change+0x89/0xc0 [mlx5 core]
mlx5 eswitch disable+0x67/0xa0 [mlx5 core]
mlx5 unload+0x15/0xd0 [mlx5 core]
mlx5 unload one+0x71/0xc0 [mlx5 core]
mlx5 sync reset reload work+0x83/0x100 [mlx5 core]
process one work+0x1a7/0x360
worker thread+0x30/0x390
? create worker+0x1a0/0x1a0
kthread+0x116/0x130
? kthread flush work fn+0x10/0x10
ret from fork+0x22/0x40
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux