CVE-2025-40350

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ<br /> <br /> XDP programs can change the layout of an xdp_buff through<br /> bpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver<br /> cannot assume the size of the linear data area nor fragments. Fix the<br /> bug in mlx5 by generating skb according to xdp_buff after XDP programs<br /> run.<br /> <br /> Currently, when handling multi-buf XDP, the mlx5 driver assumes the<br /> layout of an xdp_buff to be unchanged. That is, the linear data area<br /> continues to be empty and fragments remain the same. This may cause<br /> the driver to generate erroneous skb or triggering a kernel<br /> warning. When an XDP program added linear data through<br /> bpf_xdp_adjust_head(), the linear data will be ignored as<br /> mlx5e_build_linear_skb() builds an skb without linear data and then<br /> pull data from fragments to fill the linear data area. When an XDP<br /> program has shrunk the non-linear data through bpf_xdp_adjust_tail(),<br /> the delta passed to __pskb_pull_tail() may exceed the actual nonlinear<br /> data size and trigger the BUG_ON in it.<br /> <br /> To fix the issue, first record the original number of fragments. If the<br /> number of fragments changes after the XDP program runs, rewind the end<br /> fragment pointer by the difference and recalculate the truesize. Then,<br /> build the skb with the linear data area matching the xdp_buff. Finally,<br /> only pull data in if there is non-linear data and fill the linear part<br /> up to 256 bytes.