Unrated severityNVD Advisory· Published Jun 3, 2026
CVE-2026-46249
CVE-2026-46249
Description
Linux kernel octeontx2-af driver crashes during kexec reboot due to stale hardware state if AF driver is not properly reinitialized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel octeontx2-af driver crashes during kexec reboot due to stale hardware state if AF driver is not properly reinitialized.
Vulnerability
In the Linux kernel's octeontx2-af driver, a crash can occur during a kexec kernel reboot. This happens because the hardware is not power-cycled, allowing the AF (Address Family) state from the old kernel to persist. If the AF and PF (Physical Function) drivers are loaded as modules, the PF driver might probe before the AF driver fully reinitializes the hardware. The PF driver incorrectly uses the RVUM block revision to determine AF initialization completion. If this revision is not cleared during AF shutdown, the PF driver may assume AF is ready and access stale hardware state, leading to a crash [1].
Exploitation
Exploitation requires a kexec reboot to occur. The vulnerability is triggered when the PF driver probes before the AF driver has completed hardware reinitialization after the kexec process. This scenario is more likely when both AF and PF drivers are built as loadable modules. An attacker would need to initiate a kexec reboot on a system with the vulnerable kernel and module configuration [1].
Impact
Successful exploitation of this vulnerability leads to a crash of the PF driver within the Linux kernel. This crash results in a denial of service, rendering the affected system inoperable. The specific impact is a system crash, preventing normal operation [1].
Mitigation
This vulnerability has been resolved by clearing the RVUM block revision during AF shutdown to prevent the PF driver from misinterpreting AF readiness after a kexec reboot. The fix is available in the Linux kernel. Specific patched versions are not detailed in the available references, but the commit is referenced [1].
References
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
167d56ba306e93octeontx2-af: Fix PF driver crash with kexec kernel booting
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnshumali GaurFixed in 6.12.75via kernel-cna
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 74201e0210bbf..d5e2ebedd433e 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3529,11 +3529,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
b7605b9301abocteontx2-af: Fix PF driver crash with kexec kernel booting
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnshumali GaurFixed in 5.10.252via kernel-cna
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 3514564e2cc60..217b6873a64c6 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -2880,11 +2880,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
9769a09afda2octeontx2-af: Fix PF driver crash with kexec kernel booting
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnshumali GaurFixed in 5.15.202via kernel-cna
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 53f742a507dbe..187c66fb2458c 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3331,11 +3331,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
57821d1436baocteontx2-af: Fix PF driver crash with kexec kernel booting
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnshumali GaurFixed in 6.1.165via kernel-cna
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 7034a977102ea..1e3661524040a 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3442,11 +3442,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
8b5ed7c5417bocteontx2-af: Fix PF driver crash with kexec kernel booting
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnshumali GaurFixed in 6.6.128via kernel-cna
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 846049b6c4d60..a7fcea9b1ee7e 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3444,11 +3444,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
9c3398e5b3a9octeontx2-af: Fix PF driver crash with kexec kernel booting
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnshumali GaurFixed in 6.18.14via kernel-cna
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 747fbdf2a908f..8530df8b3fdaf 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3632,11 +3632,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
1370736836a1octeontx2-af: Fix PF driver crash with kexec kernel booting
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnshumali GaurFixed in 6.19.4via kernel-cna
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 747fbdf2a908f..8530df8b3fdaf 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3632,11 +3632,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
2d2d574309e3octeontx2-af: Fix PF driver crash with kexec kernel booting
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAnshumali GaurFixed in 7.0via kernel-cna
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 747fbdf2a908f..8530df8b3fdaf 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3632,11 +3632,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
b7605b9301abocteontx2-af: Fix PF driver crash with kexec kernel booting
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 3514564e2cc60..217b6873a64c6 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -2880,11 +2880,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
2d2d574309e3octeontx2-af: Fix PF driver crash with kexec kernel booting
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 747fbdf2a908f..8530df8b3fdaf 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3632,11 +3632,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
7d56ba306e93octeontx2-af: Fix PF driver crash with kexec kernel booting
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 74201e0210bbf..d5e2ebedd433e 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3529,11 +3529,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
1370736836a1octeontx2-af: Fix PF driver crash with kexec kernel booting
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 747fbdf2a908f..8530df8b3fdaf 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3632,11 +3632,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
57821d1436baocteontx2-af: Fix PF driver crash with kexec kernel booting
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 7034a977102ea..1e3661524040a 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3442,11 +3442,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
8b5ed7c5417bocteontx2-af: Fix PF driver crash with kexec kernel booting
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 846049b6c4d60..a7fcea9b1ee7e 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3444,11 +3444,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
9769a09afda2octeontx2-af: Fix PF driver crash with kexec kernel booting
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 53f742a507dbe..187c66fb2458c 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3331,11 +3331,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
9c3398e5b3a9octeontx2-af: Fix PF driver crash with kexec kernel booting
1 file changed · +11 −1
drivers/net/ethernet/marvell/octeontx2/af/rvu.c+11 −1 modifieddiff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c index 747fbdf2a908f..8530df8b3fdaf 100644 --- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c @@ -3632,11 +3632,22 @@ static void rvu_remove(struct pci_dev *pdev) devm_kfree(&pdev->dev, rvu); } +static void rvu_shutdown(struct pci_dev *pdev) +{ + struct rvu *rvu = pci_get_drvdata(pdev); + + if (!rvu) + return; + + rvu_clear_rvum_blk_revid(rvu); +} + static struct pci_driver rvu_driver = { .name = DRV_NAME, .id_table = rvu_id_table, .probe = rvu_probe, .remove = rvu_remove, + .shutdown = rvu_shutdown, }; static int __init rvu_init_module(void) -- cgit 1.3-korg
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
8- git.kernel.org/stable/c/1370736836a18b5e0cd74bcc9cffe11d21f1fe79nvd
- git.kernel.org/stable/c/2d2d574309e3ae84ee794869a5da8b4c38753a94nvd
- git.kernel.org/stable/c/57821d1436ba1c6a6973aa32d54166fdec35558cnvd
- git.kernel.org/stable/c/7d56ba306e93d04696718963fb4cda2883ee7585nvd
- git.kernel.org/stable/c/8b5ed7c5417b7013d35b6f2507dab739013ba1a9nvd
- git.kernel.org/stable/c/9769a09afda20a006b528b9e723effcae45965b2nvd
- git.kernel.org/stable/c/9c3398e5b3a914b74276d44ab54c49123b89c61anvd
- git.kernel.org/stable/c/b7605b9301abc18fbbf2b0e23fdd281fc768955dnvd
News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 3, 2026Vypr Intelligence · Jun 3, 2026