Description
In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix deadlock between devlink lock and esw->wq

esw->work_queue executes esw_functions_changed_event_handler ->
esw_vfs_changed_event_handler and acquires the devlink lock.

.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->
mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->
mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks
when esw_vfs_changed_event_handler executes.

Fix that by no longer flushing the work to avoid the deadlock, and using
a generation counter to keep track of work relevance. This avoids an old
handler manipulating an esw that has undergone one or more mode changes:
- the counter is incremented in mlx5_eswitch_event_handler_unregister.
- the counter is read and passed to the ephemeral mlx5_host_work struct.
- the work handler takes the devlink lock and bails out if the current
generation is different than the one it was scheduled to operate on.
- mlx5_eswitch_cleanup does the final draining before destroying the wq.

No longer flushing the workqueue has the side effect of maybe no longer
cancelling pending vport_change_handler work items, but that's ok since
those are disabled elsewhere:
- mlx5_eswitch_disable_locked disables the vport eq notifier.
- mlx5_esw_vport_disable disarms the HW EQ notification and marks
vport->enabled under state_lock to false to prevent pending vport
handler from doing anything.
- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events
are disabled/finished.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a deadlock condition in the Linux mlx5 driver. When the eswitch workqueue processes a mode change or vport event, it may acquire the devlink lock, while the devlink operation also attempts to acquire the same lock. This ordering conflict causes the kernel scheduler to wait indefinitely, resulting in a kernel that becomes unresponsive or a halted network interface.

Affected Systems

Every Linux kernel that includes the original mlx5 eswitch implementation before the commit that adds the generation counter and removes the workqueue flush is vulnerable. Administrators should verify whether the running kernel contains this patch by checking the kernel tree or the commit history.

Risk and Exploitability

The CVSS score of 5.5 reflects moderate severity. The EPSS score is below 1%, and the issue is not currently listed in the CISA KEV catalog, indicating that widespread exploitation has not been observed. Based on the description, it is inferred that an attacker with local privileges could trigger the deadlock by performing normal driver operations such as eswitch mode changes or vport configuration. The risk is limited to availability loss rather than confidentiality or integrity compromise.

Generated by OpenCVE AI on May 9, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the patch that adds the generation counter and removes the workqueue flush.
  • Reboot the system to activate the new kernel and ensure the mlx5 driver is loaded with the fix.
  • If an immediate kernel upgrade is not possible, consider temporarily disabling the mlx5 driver module (e.g., via `modprobe -r mlx5_core` or setting `disable` in `/sys/module/`), preventing eswitch operations until the fix is applied.

Generated by OpenCVE AI on May 9, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-580

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-580

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix deadlock between devlink lock and esw->wq esw->work_queue executes esw_functions_changed_event_handler -> esw_vfs_changed_event_handler and acquires the devlink lock. .eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks when esw_vfs_changed_event_handler executes. Fix that by no longer flushing the work to avoid the deadlock, and using a generation counter to keep track of work relevance. This avoids an old handler manipulating an esw that has undergone one or more mode changes: - the counter is incremented in mlx5_eswitch_event_handler_unregister. - the counter is read and passed to the ephemeral mlx5_host_work struct. - the work handler takes the devlink lock and bails out if the current generation is different than the one it was scheduled to operate on. - mlx5_eswitch_cleanup does the final draining before destroying the wq. No longer flushing the workqueue has the side effect of maybe no longer cancelling pending vport_change_handler work items, but that's ok since those are disabled elsewhere: - mlx5_eswitch_disable_locked disables the vport eq notifier. - mlx5_esw_vport_disable disarms the HW EQ notification and marks vport->enabled under state_lock to false to prevent pending vport handler from doing anything. - mlx5_eswitch_cleanup destroys the workqueue and makes sure all events are disabled/finished.
Title net/mlx5: Fix deadlock between devlink lock and esw->wq
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:28.889Z

Reserved: 2026-05-01T14:12:56.011Z

Link: CVE-2026-43468

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:59.830

Modified: 2026-05-08T15:16:59.830

Link: CVE-2026-43468

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43468 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T17:30:38Z

Weaknesses