Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]bpf, sockmap: Fix panic when calling skb_linearize[EOL][EOL]The panic can be reproduced by executing the command:[EOL]./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000[EOL][EOL]Then a kernel panic was captured:[EOL]'''[EOL][  657.460555] kernel BUG at net/core/skbuff.c:2178![EOL][  657.462680] Tainted: [W]=WARN[EOL][  657.463287] Workqueue: events sk_psock_backlog[EOL]...[EOL][  657.469610]  <TASK>[EOL][  657.469738]  ? die+0x36/0x90[EOL][  657.469916]  ? do_trap+0x1d0/0x270[EOL][  657.470118]  ? pskb_expand_head+0x612/0xf40[EOL][  657.470376]  ? pskb_expand_head+0x612/0xf40[EOL][  657.470620]  ? do_error_trap+0xa3/0x170[EOL][  657.470846]  ? pskb_expand_head+0x612/0xf40[EOL][  657.471092]  ? handle_invalid_op+0x2c/0x40[EOL][  657.471335]  ? pskb_expand_head+0x612/0xf40[EOL][  657.471579]  ? exc_invalid_op+0x2d/0x40[EOL][  657.471805]  ? asm_exc_invalid_op+0x1a/0x20[EOL][  657.472052]  ? pskb_expand_head+0xd1/0xf40[EOL][  657.472292]  ? pskb_expand_head+0x612/0xf40[EOL][  657.472540]  ? lock_acquire+0x18f/0x4e0[EOL][  657.472766]  ? find_held_lock+0x2d/0x110[EOL][  657.472999]  ? __pfx_pskb_expand_head+0x10/0x10[EOL][  657.473263]  ? __kmalloc_cache_noprof+0x5b/0x470[EOL][  657.473537]  ? __pfx___lock_release.isra.0+0x10/0x10[EOL][  657.473826]  __pskb_pull_tail+0xfd/0x1d20[EOL][  657.474062]  ? __kasan_slab_alloc+0x4e/0x90[EOL][  657.474707]  sk_psock_skb_ingress_enqueue+0x3bf/0x510[EOL][  657.475392]  ? __kasan_kmalloc+0xaa/0xb0[EOL][  657.476010]  sk_psock_backlog+0x5cf/0xd70[EOL][  657.476637]  process_one_work+0x858/0x1a20[EOL]'''[EOL][EOL]The panic originates from the assertion BUG_ON(skb_shared(skb)) in[EOL]skb_linearize(). A previous commit(see Fixes tag) introduced skb_get()[EOL]to avoid race conditions between skb operations in the backlog and skb[EOL]release in the recvmsg path. However, this caused the panic to always[EOL]occur when skb_linearize is executed.[EOL][EOL]The "--rx-strp 100000" parameter forces the RX path to use the strparser[EOL]module which aggregates data until it reaches 100KB before calling sockmap[EOL]logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.[EOL][EOL]To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.[EOL][EOL]'''[EOL]sk_psock_backlog:[EOL]    sk_psock_handle_skb[EOL]       skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'[EOL]       sk_psock_skb_ingress____________[EOL]                                       ?[EOL]                                        ([EOL)                                       | ? sk_psock_skb_ingress_selfEOL]                                        (      sk_psock_skb_ingress_enqueue[EOL)sk_psock_verdict_apply_________________?          skb_linearizeEOL]'''[EOL][EOL]Note that for verdict_apply path, the skb_get operation is unnecessary so[EOL]we add 'take_ref' param to control it's behavior.

CREATE(Triage):(User=lchen-cn) [CVE-2025-38165 (https://nvd.nist.gov/vuln/detail/CVE-2025-38165)

CVEs

• CVE-2025-38165