[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2025-40251":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":21,"related":22,"reserved_at":9,"published_at":23,"modified_at":24,"state":9,"summary":25,"references_raw":27,"kevs":34,"epss":9,"epss_history":35,"metrics":36,"affected":43},"DEBIAN-CVE-2025-40251","In the Linux kernel, the following vulnerability has been resolved:  devlink: rate: Unset parent pointer in devl_rate_nodes_destroy  The function devl_rate_nodes_destroy is documented to \"Unset parent for all rate objects\". However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent's refcount, without actually setting the `devlink_rate->parent` pointer to NULL.  This leaves a dangling pointer in the `devlink_rate` struct, which cause refcount error in netdevsim[1] and mlx5[2]. In addition, this is inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, where the parent pointer is correctly cleared.  This patch fixes the issue by explicitly setting `devlink_rate->parent` to NULL after notifying the driver, thus fulfilling the function's documented behavior for all rate objects.  [1] repro steps: echo 1 > /sys/bus/netdevsim/new_device devlink dev eswitch set netdevsim/netdevsim1 mode switchdev echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs devlink port function rate add netdevsim/netdevsim1/test_node devlink port function rate set netdevsim/netdevsim1/128 parent test_node echo 1 > /sys/bus/netdevsim/del_device  dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace:  \u003CTASK>  devl_rate_leaf_destroy+0x8d/0x90  __nsim_dev_port_del+0x6c/0x70 [netdevsim]  nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]  nsim_drv_remove+0x2b/0xb0 [netdevsim]  device_release_driver_internal+0x194/0x1f0  bus_remove_device+0xc6/0x130  device_del+0x159/0x3c0  device_unregister+0x1a/0x60  del_device_store+0x111/0x170 [netdevsim]  kernfs_fop_write_iter+0x12e/0x1e0  vfs_write+0x215/0x3d0  ksys_write+0x5f/0xd0  do_syscall_64+0x55/0x10f0  entry_SYSCALL_64_after_hwframe+0x4b/0x53  [2] devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 devlink port function rate add pci/0000:08:00.0/group1 devlink port function rate set pci/0000:08:00.0/32768 parent group1 modprobe -r mlx5_ib mlx5_fwctl mlx5_core  dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace:  \u003CTASK>  devl_rate_leaf_destroy+0x8d/0x90  mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]  mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]  mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]  mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]  notifier_call_chain+0x33/0xa0  blocking_notifier_call_chain+0x3b/0x50  mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]  mlx5_eswitch_disable+0x63/0x90 [mlx5_core]  mlx5_unload+0x1d/0x170 [mlx5_core]  mlx5_uninit_one+0xa2/0x130 [mlx5_core]  remove_one+0x78/0xd0 [mlx5_core]  pci_device_remove+0x39/0xa0  device_release_driver_internal+0x194/0x1f0  unbind_store+0x99/0xa0  kernfs_fop_write_iter+0x12e/0x1e0  vfs_write+0x215/0x3d0  ksys_write+0x5f/0xd0  do_syscall_64+0x53/0x1f0  entry_SYSCALL_64_after_hwframe+0x4b/0x53",null,[],[],[],[14],{"_key":15},"CVE-2025-40251",[17,19],{"_key":18},"DLA-4499-1",{"_key":20},"DSA-6163-1",[],[],"2025-12-04T16:16:18.663Z","2026-04-28T20:30:09.536898Z",{"cisa_kev":26,"cisa_ransomware":26,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[28],{"url":29,"sources":30,"tags":32},"https://security-tracker.debian.org/tracker/CVE-2025-40251",[31],"osv_debian",[33],"Advisory",[],[],[37],{"source":31,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":38,"cvss_v4_0":9},{"baseScore":39,"baseSeverity":9,"vectorString":40,"impactScore":41,"exploitabilityScore":42},5.5,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",6,4.6,[44,64],{"ecosystem":45,"name":46,"vendor":47,"product":46,"cpe_part":9,"purl_type":48,"purl_namespace":47,"purl_name":46,"source":9,"versions":49},"Debian","linux","debian","deb",[50,54,58,61],{"version":51,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":55,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":57,"fixed_in":9},"lt6_1_164_1","6.1.164-1","excluding",{"version":59,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":60,"version_end_type":57,"fixed_in":9},"lt6_12_63_1","6.12.63-1",{"version":62,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":63,"version_end_type":57,"fixed_in":9},"lt6_17_10_1","6.17.10-1",{"ecosystem":45,"name":65,"vendor":47,"product":65,"cpe_part":9,"purl_type":48,"purl_namespace":47,"purl_name":65,"source":9,"versions":66},"linux-6.1",[67],{"version":68,"is_range":52,"range_type":53,"version_start":9,"version_start_type":9,"version_end":69,"version_end_type":57,"fixed_in":9},"lt6_1_164_1~deb11u1","6.1.164-1~deb11u1"]