CVE-2025-38165

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-38165

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38165.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-38165

Downstream

UBUNTU-CVE-2025-38165

Published

2025-07-03T09:15:31Z

Modified

2025-07-10T17:12:13.978739Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix panic when calling skb_linearize

The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000

Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events skpsockbacklog ... [ 657.469610] <TASK> [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? dotrap+0x1d0/0x270 [ 657.470118] ? pskbexpandhead+0x612/0xf40 [ 657.470376] ? pskbexpandhead+0x612/0xf40 [ 657.470620] ? doerrortrap+0xa3/0x170 [ 657.470846] ? pskbexpandhead+0x612/0xf40 [ 657.471092] ? handleinvalidop+0x2c/0x40 [ 657.471335] ? pskbexpandhead+0x612/0xf40 [ 657.471579] ? excinvalidop+0x2d/0x40 [ 657.471805] ? asmexcinvalidop+0x1a/0x20 [ 657.472052] ? pskbexpandhead+0xd1/0xf40 [ 657.472292] ? pskbexpandhead+0x612/0xf40 [ 657.472540] ? lockacquire+0x18f/0x4e0 [ 657.472766] ? findheldlock+0x2d/0x110 [ 657.472999] ? pfxpskbexpandhead+0x10/0x10 [ 657.473263] ? _kmalloccachenoprof+0x5b/0x470 [ 657.473537] ? _pfxlockrelease.isra.0+0x10/0x10 [ 657.473826] _pskbpulltail+0xfd/0x1d20 [ 657.474062] ? _kasanslaballoc+0x4e/0x90 [ 657.474707] skpsockskbingressenqueue+0x3bf/0x510 [ 657.475392] ? _kasankmalloc+0xaa/0xb0 [ 657.476010] skpsockbacklog+0x5cf/0xd70 [ 657.476637] processonework+0x858/0x1a20 '''

The panic originates from the assertion BUGON(skbshared(skb)) in skblinearize(). A previous commit(see Fixes tag) introduced skbget() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed.

The "--rx-strp 100000" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAXMSGFRAGS, triggering skb_linearize.

To fix this issue, just move skbget into skpsockskbingress_enqueue.

''' skpsockbacklog: skpsockhandleskb skbget(skb) <== we move it into 'skpsockskbingressenqueue' skpsockskbingress ↓ | | → skpsockskbingressself | skpsockskbingressenqueue skpsockverdictapply_↑ skb_linearize '''

Note that for verdictapply path, the skbget operation is unnecessary so we add 'take_ref' param to control it's behavior.

References

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.1.112-1

6.1.115-1

6.1.119-1

6.1.123-1

6.1.124-1

6.1.128-1

6.1.129-1

6.1.133-1

6.1.135-1

6.1.137-1

6.1.139-1

6.1.140-1

6.3.1-1~exp1

6.3.2-1~exp1

6.3.4-1~exp1

6.3.5-1~exp1

6.3.7-1~bpo12+1

6.3.7-1

6.3.11-1

6.4~rc6-1~exp1

6.4~rc7-1~exp1

6.4.1-1~exp1

6.4.4-1~bpo12+1

6.4.4-1

6.4.4-2

6.4.4-3~bpo12+1

6.4.4-3

6.4.11-1

6.4.13-1

6.5~rc4-1~exp1

6.5~rc6-1~exp1

6.5~rc7-1~exp1

6.5.1-1~exp1

6.5.3-1~bpo12+1

6.5.3-1

6.5.6-1

6.5.8-1

6.5.10-1~bpo12+1

6.5.10-1

6.5.13-1

6.6.3-1~exp1

6.6.4-1~exp1

6.6.7-1~exp1

6.6.8-1

6.6.9-1

6.6.11-1

6.6.13-1~bpo12+1

6.6.13-1

6.6.15-1

6.6.15-2

6.7-1~exp1

6.7.1-1~exp1

6.7.4-1~exp1

6.7.7-1

6.7.9-1

6.7.9-2

6.7.12-1~bpo12+1

6.7.12-1

6.8.9-1

6.8.11-1

6.8.12-1~bpo12+1

6.8.12-1

6.9.2-1~exp1

6.9.7-1~bpo12+1

6.9.7-1

6.9.8-1

6.9.9-1

6.9.10-1~bpo12+1

6.9.10-1

6.9.11-1

6.9.12-1

6.10-1~exp1

6.10.1-1~exp1

6.10.3-1

6.10.4-1

6.10.6-1~bpo12+1

6.10.6-1

6.10.7-1

6.10.9-1

6.10.11-1~bpo12+1

6.10.11-1

6.10.12-1

6.11~rc4-1~exp1

6.11~rc5-1~exp1

6.11-1~exp1

6.11.2-1

6.11.4-1

6.11.5-1~bpo12+1

6.11.5-1

6.11.6-1

6.11.7-1

6.11.9-1

6.11.10-1~bpo12+1

6.11.10-1

6.12~rc6-1~exp1

6.12.3-1

6.12.5-1

6.12.6-1

6.12.8-1

6.12.9-1~bpo12+1

6.12.9-1

6.12.9-1+alpha

6.12.10-1

6.12.11-1

6.12.11-1+alpha

6.12.11-1+alpha.1

6.12.12-1~bpo12+1

6.12.12-1

6.12.13-1

6.12.15-1

6.12.16-1

6.12.17-1

6.12.19-1

6.12.20-1

6.12.21-1

6.12.22-1~bpo12+1

6.12.22-1

6.12.25-1

6.12.27-1~bpo12+1

6.12.27-1

6.12.29-1

6.12.30-1~bpo12+1

6.12.30-1

6.12.31-1

6.12.32-1~bpo12+1

6.12.32-1

6.12.33-1

6.12.35-1

6.13~rc6-1~exp1

6.13~rc7-1~exp1

6.13.2-1~exp1

6.13.3-1~exp1

6.13.4-1~exp1

6.13.5-1~exp1

6.13.6-1~exp1

6.13.7-1~exp1

6.13.8-1~exp1

6.13.9-1~exp1

6.13.10-1~exp1

6.13.11-1~exp1

6.14.3-1~exp1

6.14.5-1~exp1

6.14.6-1~exp1

6.15~rc7-1~exp1

6.15-1~exp1

6.15.1-1~exp1

6.15.2-1~exp1

6.15.3-1~exp1

6.15.4-1~exp1

6.15.5-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux