Linux Kernel net/mlx5 Component Unregistration Vulnerability Leading to Use-After-Free

A vulnerability in the Linux kernel's net/mlx5 component can cause a double unregistration of the HCA_PORTS component, leading to a use-after-free condition. This issue arises during the teardown of Link Aggregation Group (LAG) management, where a delayed second pass through the 'mlx5_unload_one()' function may attempt to unregister a component that has already been cleared, causing a kernel panic. On s390 systems, most PCI recovery events trigger two passes through 'mlx5_unload_one()', which can exacerbate the problem. The vulnerability was introduced in version 6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x and has been fixed in the official Linux Git repository.

Impact

Exploitation of this vulnerability leads to a kernel panic caused by a dereference of a freed pointer, disrupting normal system operation and potentially causing data loss.

Reproduction

The vulnerability can be reproduced by triggering PCI error recovery events on an s390 system, which will cause two passes through the 'mlx5_unload_one()' function. With additional kernel debug features enabled, this process will consistently result in a kernel panic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.