CVE-2025-22075

In the Linux kernel, the following vulnerability has been resolved:

rtnetlink: Allocate vfinfo size for VF GUIDs when supported

Commit 30aad41721e0 ("net/core: Add support for getting VF GUIDs") added support for getting VF port and node GUIDs in netlink ifinfo messages, but their size was not taken into consideration in the function that allocates the netlink message, causing the following warning when a netlink message is filled with many VF port and node GUIDs: # echo 64 > /sys/bus/pci/devices/0000\:08\:00.0/sriov_numvfs # ip link show dev ib0 RTNETLINK answers: Message too long Cannot send link get request: Message too long

Kernel warning:

------------[ cut here ]------------ WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnlgetlink+0x586/0x5a0 Modules linked in: xtconntrack xtMASQUERADE nfnetlink xtaddrtype iptablenat nfnat brnetfilter overlay mlx5ib macsec mlx5core tls rpcrdma rdmaucm ibuverbs ibiser libiscsi scsitransportiscsi ibumad rdmacm iwcm ibipoib fuse ibcm ibcore CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rtnlgetlink+0x586/0x5a0 Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ffff888113557348 EFLAGS: 00010246 RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8 RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000 R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00 R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? warn+0xa5/0x230 ? rtnlgetlink+0x586/0x5a0 ? reportbug+0x22d/0x240 ? handlebug+0x53/0xa0 ? excinvalidop+0x14/0x50 ? asmexcinvalidop+0x16/0x20 ? skbtrim+0x6a/0x80 ? rtnlgetlink+0x586/0x5a0 ? _pfxrtnlgetlink+0x10/0x10 ? rtnetlinkrcvmsg+0x1e5/0x860 ? _pfxmutexlock+0x10/0x10 ? rcuiswatching+0x34/0x60 ? pfxlockacquire+0x10/0x10 ? stacktracesave+0x90/0xd0 ? filterirqstacks+0x1d/0x70 ? kasansavestack+0x30/0x40 ? kasansavestack+0x20/0x40 ? kasansavetrack+0x10/0x30 rtnetlinkrcvmsg+0x21c/0x860 ? entrySYSCALL64afterhwframe+0x76/0x7e ? _pfxrtnetlinkrcvmsg+0x10/0x10 ? archstackwalk+0x9e/0xf0 ? rcuiswatching+0x34/0x60 ? lockacquire+0xd5/0x410 ? rcuiswatching+0x34/0x60 netlinkrcvskb+0xe0/0x210 ? _pfxrtnetlinkrcvmsg+0x10/0x10 ? _pfxnetlinkrcvskb+0x10/0x10 ? rcuiswatching+0x34/0x60 ? _pfxnetlinklookup+0x10/0x10 ? lockrelease+0x62/0x200 ? netlinkdelivertap+0xfd/0x290 ? rcuiswatching+0x34/0x60 ? lockrelease+0x62/0x200 ? netlinkdelivertap+0x95/0x290 netlinkunicast+0x31f/0x480 ? pfxnetlinkunicast+0x10/0x10 ? rcuiswatching+0x34/0x60 ? lockacquire+0xd5/0x410 netlinksendmsg+0x369/0x660 ? lockrelease+0x62/0x200 ? _pfxnetlinksendmsg+0x10/0x10 ? importubuf+0xb9/0xf0 ? _importiovec+0x254/0x2b0 ? lockrelease+0x62/0x200 ? _pfxnetlinksendmsg+0x10/0x10 _syssendmsg+0x559/0x5a0 ? pfxsyssendmsg+0x10/0x10 ? _pfxcopymsghdrfromuser+0x10/0x10 ? rcuiswatching+0x34/0x60 ? doreadfault+0x213/0x4a0 ? rcuiswatching+0x34/0x60 syssendmsg+0xe4/0x150 ? pfxsyssendmsg+0x10/0x10 ? dofault+0x2cc/0x6f0 ? handleptefault+0x2e3/0x3d0 ? _pfxhandleptefault+0x10/0x10 ---truncated---