CVE-2025-38640

In the Linux kernel, the following vulnerability has been resolved:

bpf: Disable migration in nfhookrun_bpf().

syzbot reported that the netfilter bpf prog can be called without migration disabled in xmit path.

Then the assertion in __bpfprogrun() fails, triggering the splat below. [0]

Let's use bpfprogrunpinoncpu() in nfhookrunbpf().

inatomic(): 0, irqsdisabled(): 0, migrationdisabled() 0 pid: 5829, name: sshd-session 3 locks held by sshd-session/5829: #0: ffff88807b4e4218 (sklock-AFINET){+.+.}-{0:0}, at: locksock include/net/sock.h:1667 [inline] #0: ffff88807b4e4218 (sklock-AFINET){+.+.}-{0:0}, at: tcpsendmsg+0x20/0x50 net/ipv4/tcp.c:1395 #1: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: rculockacquire include/linux/rcupdate.h:331 [inline] #1: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: rcureadlock include/linux/rcupdate.h:841 [inline] #1: ffffffff8e5c4e00 (rcuread_lock){....}-{1:3}, at: __ipqueuexmit+0x69/0x26c0 net/ipv4/ipoutput.c:470 #2: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: rculockacquire include/linux/rcupdate.h:331 [inline] #2: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: rcureadlock include/linux/rcupdate.h:841 [inline] #2: ffffffff8e5c4e00 (rcureadlock){....}-{1:3}, at: nfhook+0xb2/0x680 include/linux/netfilter.h:241 CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0x16c/0x1f0 lib/dumpstack.c:120 __cant_migrate kernel/sched/core.c:8860 [inline] __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834 __bpfprogrun include/linux/filter.h:703 [inline] bpfprogrun include/linux/filter.h:725 [inline] nfhookrun_bpf+0x83/0x1e0 net/netfilter/nfbpflink.c:20 nfhookentryhookfn include/linux/netfilter.h:157 [inline] nfhookslow+0xbb/0x200 net/netfilter/core.c:623 nfhook+0x370/0x680 include/linux/netfilter.h:272 NFHOOKCOND include/linux/netfilter.h:305 [inline] ipoutput+0x1bc/0x2a0 net/ipv4/ipoutput.c:433 dstoutput include/net/dst.h:459 [inline] iplocalout net/ipv4/ipoutput.c:129 [inline] __ipqueuexmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527 __tcptransmitskb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479 tcptransmitskb net/ipv4/tcpoutput.c:1497 [inline] tcpwritexmit+0x1274/0x84e0 net/ipv4/tcpoutput.c:2838 __tcppushpendingframes+0xaf/0x390 net/ipv4/tcpoutput.c:3021 tcppush+0x225/0x700 net/ipv4/tcp.c:759 tcpsendmsglocked+0x1870/0x42b0 net/ipv4/tcp.c:1359 tcpsendmsg+0x2e/0x50 net/ipv4/tcp.c:1396 inetsendmsg+0xb9/0x140 net/ipv4/afinet.c:851 socksendmsgnosec net/socket.c:712 [inline] __socksendmsg net/socket.c:727 [inline] sockwriteiter+0x4aa/0x5b0 net/socket.c:1131 newsyncwrite fs/readwrite.c:593 [inline] vfswrite+0x6c7/0x1150 fs/readwrite.c:686 ksyswrite+0x1f8/0x250 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xcd/0x4c0 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7fe7d365d407 Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: