Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]bpf: Disable migration in nf_hook_run_bpf().[EOL][EOL]syzbot reported that the netfilter bpf prog can be called without[EOL]migration disabled in xmit path.[EOL][EOL]Then the assertion in __bpf_prog_run() fails, triggering the splat[EOL]below. [0][EOL][EOL]Let's use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf().[EOL][EOL][0]:[EOL]BUG: assuming non migratable context at ./include/linux/filter.h:703[EOL]in_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session[EOL]3 locks held by sshd-session/5829:[EOL] #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline][EOL] #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395[EOL] #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline][EOL] #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline][EOL] #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470[EOL] #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline][EOL] #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline][EOL] #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241[EOL]CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full)[EOL]Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025[EOL]Call Trace:[EOL] <TASK>[EOL] __dump_stack lib/dump_stack.c:94 [inline][EOL] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120[EOL] __cant_migrate kernel/sched/core.c:8860 [inline][EOL] __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834[EOL] __bpf_prog_run include/linux/filter.h:703 [inline][EOL] bpf_prog_run include/linux/filter.h:725 [inline][EOL] nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20[EOL] nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline][EOL] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623[EOL] nf_hook+0x370/0x680 include/linux/netfilter.h:272[EOL] NF_HOOK_COND include/linux/netfilter.h:305 [inline][EOL] ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433[EOL] dst_output include/net/dst.h:459 [inline][EOL] ip_local_out net/ipv4/ip_output.c:129 [inline][EOL] __ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527[EOL] __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479[EOL] tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline][EOL] tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838[EOL] __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021[EOL] tcp_push+0x225/0x700 net/ipv4/tcp.c:759[EOL] tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359[EOL] tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396[EOL] inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851[EOL] sock_sendmsg_nosec net/socket.c:712 [inline][EOL] __sock_sendmsg net/socket.c:727 [inline][EOL] sock_write_iter+0x4aa/0x5b0 net/socket.c:1131[EOL] new_sync_write fs/read_write.c:593 [inline][EOL] vfs_write+0x6c7/0x1150 fs/read_write.c:686[EOL] ksys_write+0x1f8/0x250 fs/read_write.c:738[EOL] do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline][EOL] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL]RIP: 0033:0x7fe7d365d407[EOL]Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff[EOL]RSP:

CREATE(Triage):(User=pbi-cn) [CVE-2025-38640 (https://nvd.nist.gov/vuln/detail/CVE-2025-38640)