CVE-2025-40104

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ixgbevf: fix mailbox API compatibility by negotiating supported features<br /> <br /> There was backward compatibility in the terms of mailbox API. Various<br /> drivers from various OSes supporting 10G adapters from Intel portfolio<br /> could easily negotiate mailbox API.<br /> <br /> This convention has been broken since introducing API 1.4.<br /> Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support<br /> for IPSec which is specific only for the kernel ixgbe driver. None of the<br /> rest of the Intel 10G PF/VF drivers supports it. And actually lack of<br /> support was not included in the IPSec implementation - there were no such<br /> code paths. No possibility to negotiate support for the feature was<br /> introduced along with introduction of the feature itself.<br /> <br /> Commit 339f28964147 ("ixgbevf: Add support for new mailbox communication<br /> between PF and VF") increasing API version to 1.5 did the same - it<br /> introduced code supported specifically by the PF ESX driver. It altered API<br /> version for the VF driver in the same time not touching the version<br /> defined for the PF ixgbe driver. It led to additional discrepancies,<br /> as the code provided within API 1.6 cannot be supported for Linux ixgbe<br /> driver as it causes crashes.<br /> <br /> The issue was noticed some time ago and mitigated by Jake within the commit<br /> d0725312adf5 ("ixgbevf: stop attempting IPSEC offload on Mailbox API 1.5").<br /> As a result we have regression for IPsec support and after increasing API<br /> to version 1.6 ixgbevf driver stopped to support ESX MBX.<br /> <br /> To fix this mess add new mailbox op asking PF driver about supported<br /> features. Basing on a response determine whether to set support for IPSec<br /> and ESX-specific enhanced mailbox.<br /> <br /> New mailbox op, for compatibility purposes, must be added within new API<br /> revision, as API version of OOT PF &amp; VF drivers is already increased to<br /> 1.6 and doesn&amp;#39;t incorporate features negotiate op.<br /> <br /> Features negotiation mechanism gives possibility to be extended with new<br /> features when needed in the future.