CVE-2025-38165

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Fix panic when calling skb_linearize

The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000

Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events skpsockbacklog ... [ 657.469610] <TASK> [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? dotrap+0x1d0/0x270 [ 657.470118] ? pskbexpandhead+0x612/0xf40 [ 657.470376] ? pskbexpandhead+0x612/0xf40 [ 657.470620] ? doerrortrap+0xa3/0x170 [ 657.470846] ? pskbexpandhead+0x612/0xf40 [ 657.471092] ? handleinvalidop+0x2c/0x40 [ 657.471335] ? pskbexpandhead+0x612/0xf40 [ 657.471579] ? excinvalidop+0x2d/0x40 [ 657.471805] ? asmexcinvalidop+0x1a/0x20 [ 657.472052] ? pskbexpandhead+0xd1/0xf40 [ 657.472292] ? pskbexpandhead+0x612/0xf40 [ 657.472540] ? lockacquire+0x18f/0x4e0 [ 657.472766] ? findheld_lock+0x2d/0x110 [ 657.472999] ? __pfxpskbexpand_head+0x10/0x10 [ 657.473263] ? __kmalloccachekmalloccachenoprof+0x5b/0x470 [ 657.473537] ? pfxock_release.isra.0+0x10/0x10 [ 657.473826] __pskbpulltail+0xfd/0x1d20 [ 657.474062] ? __kasanslaballoc+0x4e/0x90 [ 657.474707] skpsockskbingressenqueue+0x3bf/0x510 [ 657.475392] ? _kasankmalloc+0xaa/0xb0 [ 657.476010] skpsockbacklog+0x5cf/0xd70 [ 657.476637] processonework+0x858/0x1a20 '''

The panic originates from the assertion BUGON(skbshared(skb)) in skblinearize(). A previous commit(see Fixes tag) introduced skbget() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed.

The "--rx-strp 100000" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAXMSGFRAGS, triggering skb_linearize.

To fix this issue, just move skbget into skpsockskbingress_enqueue.

''' skpsockbacklog: skpsockhandleskb skbget(skb) <== we move it into 'skpsockskbingressenqueue' skpsockskbingress___________ ↓ | | → skpsockskbingressself | skpsockskbingressenqueue skpsockverdictapply_______________↑ skblinearize '''

Note that for verdictapply path, the skbget operation is unnecessary so we add 'take_ref' param to control it's behavior.