Fixed
Created: Dec 16, 2025
Updated: Dec 18, 2025
Resolved Date: Dec 17, 2025
Found In Version: 10.24.33.1
Fix Version: 10.24.33.14
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ[EOL][EOL]XDP programs can change the layout of an xdp_buff through[EOL]bpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver[EOL]cannot assume the size of the linear data area nor fragments. Fix the[EOL]bug in mlx5 by generating skb according to xdp_buff after XDP programs[EOL]run.[EOL][EOL]Currently, when handling multi-buf XDP, the mlx5 driver assumes the[EOL]layout of an xdp_buff to be unchanged. That is, the linear data area[EOL]continues to be empty and fragments remain the same. This may cause[EOL]the driver to generate erroneous skb or triggering a kernel[EOL]warning. When an XDP program added linear data through[EOL]bpf_xdp_adjust_head(), the linear data will be ignored as[EOL]mlx5e_build_linear_skb() builds an skb without linear data and then[EOL]pull data from fragments to fill the linear data area. When an XDP[EOL]program has shrunk the non-linear data through bpf_xdp_adjust_tail(),[EOL]the delta passed to __pskb_pull_tail() may exceed the actual nonlinear[EOL]data size and trigger the BUG_ON in it.[EOL][EOL]To fix the issue, first record the original number of fragments. If the[EOL]number of fragments changes after the XDP program runs, rewind the end[EOL]fragment pointer by the difference and recalculate the truesize. Then,[EOL]build the skb with the linear data area matching the xdp_buff. Finally,[EOL]only pull data in if there is non-linear data and fill the linear part[EOL]up to 256 bytes.
