CVE-2025-38392

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: convert control queue mutex to a spinlock<br /> <br /> With VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated<br /> on module load:<br /> <br /> [ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578<br /> [ 324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager<br /> [ 324.701689] preempt_count: 201, expected: 0<br /> [ 324.701693] RCU nest depth: 0, expected: 0<br /> [ 324.701697] 2 locks held by NetworkManager/1582:<br /> [ 324.701702] #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0<br /> [ 324.701730] #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870<br /> [ 324.701749] Preemption disabled at:<br /> [ 324.701752] [] __dev_open+0x3dd/0x870<br /> [ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary)<br /> [ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022<br /> [ 324.701774] Call Trace:<br /> [ 324.701777] <br /> [ 324.701779] dump_stack_lvl+0x5d/0x80<br /> [ 324.701788] ? __dev_open+0x3dd/0x870<br /> [ 324.701793] __might_resched.cold+0x1ef/0x23d<br /> <br /> [ 324.701818] __mutex_lock+0x113/0x1b80<br /> <br /> [ 324.701917] idpf_ctlq_clean_sq+0xad/0x4b0 [idpf]<br /> [ 324.701935] ? kasan_save_track+0x14/0x30<br /> [ 324.701941] idpf_mb_clean+0x143/0x380 [idpf]<br /> <br /> [ 324.701991] idpf_send_mb_msg+0x111/0x720 [idpf]<br /> [ 324.702009] idpf_vc_xn_exec+0x4cc/0x990 [idpf]<br /> [ 324.702021] ? rcu_is_watching+0x12/0xc0<br /> [ 324.702035] idpf_add_del_mac_filters+0x3ed/0xb50 [idpf]<br /> <br /> [ 324.702122] __hw_addr_sync_dev+0x1cf/0x300<br /> [ 324.702126] ? find_held_lock+0x32/0x90<br /> [ 324.702134] idpf_set_rx_mode+0x317/0x390 [idpf]<br /> [ 324.702152] __dev_open+0x3f8/0x870<br /> [ 324.702159] ? __pfx___dev_open+0x10/0x10<br /> [ 324.702174] __dev_change_flags+0x443/0x650<br /> <br /> [ 324.702208] netif_change_flags+0x80/0x160<br /> [ 324.702218] do_setlink.isra.0+0x16a0/0x3960<br /> <br /> [ 324.702349] rtnl_newlink+0x12fd/0x21e0<br /> <br /> The sequence is as follows:<br /> rtnl_newlink()-&gt;<br /> __dev_change_flags()-&gt;<br /> __dev_open()-&gt;<br /> dev_set_rx_mode() - &gt; # disables BH and grabs "dev-&gt;addr_list_lock"<br /> idpf_set_rx_mode() -&gt; # proceed only if VIRTCHNL2_CAP_MACFILTER is ON<br /> __dev_uc_sync() -&gt;<br /> idpf_add_mac_filter -&gt;<br /> idpf_add_del_mac_filters -&gt;<br /> idpf_send_mb_msg() -&gt;<br /> idpf_mb_clean() -&gt;<br /> idpf_ctlq_clean_sq() # mutex_lock(cq_lock)<br /> <br /> Fix by converting cq_lock to a spinlock. All operations under the new<br /> lock are safe except freeing the DMA memory, which may use vunmap(). Fix<br /> by requesting a contiguous physical memory for the DMA mapping.