Acknowledged
Created: Jun 19, 2025
Updated: Jun 20, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]nvmet-tcp: don't restore null sk_state_change[EOL][EOL]queue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if[EOL]the TCP connection isn't established when nvmet_tcp_set_queue_sock() is[EOL]called then queue->state_change isn't set and sock->sk->sk_state_change[EOL]isn't replaced.[EOL][EOL]As such we don't need to restore sock->sk->sk_state_change if[EOL]queue->state_change is NULL.[EOL][EOL]This avoids NULL pointer dereferences such as this:[EOL][EOL][ 286.462026][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000[EOL][ 286.462814][ C0] #PF: supervisor instruction fetch in kernel mode[EOL][ 286.463796][ C0] #PF: error_code(0x0010) - not-present page[EOL][ 286.464392][ C0] PGD 8000000140620067 P4D 8000000140620067 PUD 114201067 PMD 0[EOL][ 286.465086][ C0] Oops: Oops: 0010 [#1] SMP KASAN PTI[EOL][ 286.465559][ C0] CPU: 0 UID: 0 PID: 1628 Comm: nvme Not tainted 6.15.0-rc2+ #11 PREEMPT(voluntary)[EOL][ 286.466393][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014[EOL][ 286.467147][ C0] RIP: 0010:0x0[EOL][ 286.467420][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6.[EOL][ 286.467977][ C0] RSP: 0018:ffff8883ae008580 EFLAGS: 00010246[EOL][ 286.468425][ C0] RAX: 0000000000000000 RBX: ffff88813fd34100 RCX: ffffffffa386cc43[EOL][ 286.469019][ C0] RDX: 1ffff11027fa68b6 RSI: 0000000000000008 RDI: ffff88813fd34100[EOL][ 286.469545][ C0] RBP: ffff88813fd34160 R08: 0000000000000000 R09: ffffed1027fa682c[EOL][ 286.470072][ C0] R10: ffff88813fd34167 R11: 0000000000000000 R12: ffff88813fd344c3[EOL][ 286.470585][ C0] R13: ffff88813fd34112 R14: ffff88813fd34aec R15: ffff888132cdd268[EOL][ 286.471070][ C0] FS: 00007fe3c04c7d80(0000) GS:ffff88840743f000(0000) knlGS:0000000000000000[EOL][ 286.471644][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL][ 286.472543][ C0] CR2: ffffffffffffffd6 CR3: 000000012daca000 CR4: 00000000000006f0[EOL][ 286.473500][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[EOL][ 286.474467][ C0] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400[EOL][ 286.475453][ C0] Call Trace:[EOL][ 286.476102][ C0] <IRQ>[EOL][ 286.476719][ C0] tcp_fin+0x2bb/0x440[EOL][ 286.477429][ C0] tcp_data_queue+0x190f/0x4e60[EOL][ 286.478174][ C0] ? __build_skb_around+0x234/0x330[EOL][ 286.478940][ C0] ? rcu_is_watching+0x11/0xb0[EOL][ 286.479659][ C0] ? __pfx_tcp_data_queue+0x10/0x10[EOL][ 286.480431][ C0] ? tcp_try_undo_loss+0x640/0x6c0[EOL][ 286.481196][ C0] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90[EOL][ 286.482046][ C0] ? kvm_clock_get_cycles+0x14/0x30[EOL][ 286.482769][ C0] ? ktime_get+0x66/0x150[EOL][ 286.483433][ C0] ? rcu_is_watching+0x11/0xb0[EOL][ 286.484146][ C0] tcp_rcv_established+0x6e4/0x2050[EOL][ 286.484857][ C0] ? rcu_is_watching+0x11/0xb0[EOL][ 286.485523][ C0] ? ipv4_dst_check+0x160/0x2b0[EOL][ 286.486203][ C0] ? __pfx_tcp_rcv_established+0x10/0x10[EOL][ 286.486917][ C0] ? lock_release+0x217/0x2c0[EOL][ 286.487595][ C0] tcp_v4_do_rcv+0x4d6/0x9b0[EOL][ 286.488279][ C0] tcp_v4_rcv+0x2af8/0x3e30[EOL][ 286.488904][ C0] ? raw_local_deliver+0x51b/0xad0[EOL][ 286.489551][ C0] ? rcu_is_watching+0x11/0xb0[EOL][ 286.490198][ C0] ? __pfx_tcp_v4_rcv+0x10/0x10[EOL][ 286.490813][ C0] ? __pfx_raw_local_deliver+0x10/0x10[EOL][ 286.491487][ C0] ? __pfx_nf_confirm+0x10/0x10 [nf_conntrack][EOL][ 286.492275][ C0] ? rcu_is_watching+0x11/0xb0[EOL][ 286.492900][ C0] ip_protocol_deliver_rcu+0x8f/0x370[EOL][ 286.493579][ C0] ip_local_deliver_finish+0x297/0x420[EOL][ 286.494268][ C0] ip_local_deliver+0x168/0x430[EOL][ 286.494867][ C0] ? __pfx_ip_local_deliver+0x10/0x10[EOL][ 286.495498][ C0] ? __pfx_ip_local_deliver_finish+0x10/0x10[EOL][ 286.496204][ C0] ? ip_rcv_finish_core+0x19a/0x1f20[EOL][ 286.496806][ C0] ? lock_release+0x217/0x2c0[EOL][ 286.497414][ C0] ip_rcv+0x455/0x6e0[EOL][ 286.497945][ C0] ? __pfx_ip_rcv+0x10/0x10[EOL][ [EOL]---truncated---
CREATE(Triage):(User=lchen-cn) [CVE-2025-38035 (https://nvd.nist.gov/vuln/detail/CVE-2025-38035)
