CVE-2025-38020
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
18/06/2025
Last modified:
17/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net/mlx5e: Disable MACsec offload for uplink representor profile<br />
<br />
MACsec offload is not supported in switchdev mode for uplink<br />
representors. When switching to the uplink representor profile, the<br />
MACsec offload feature must be cleared from the netdevice&#39;s features.<br />
<br />
If left enabled, attempts to add offloads result in a null pointer<br />
dereference, as the uplink representor does not support MACsec offload<br />
even though the feature bit remains set.<br />
<br />
Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features().<br />
<br />
Kernel log:<br />
<br />
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN<br />
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]<br />
CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br />
RIP: 0010:__mutex_lock+0x128/0x1dd0<br />
Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff<br />
RSP: 0018:ffff888147a4f160 EFLAGS: 00010206<br />
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001<br />
RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078<br />
RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000<br />
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000<br />
R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000<br />
FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
? die_addr+0x3d/0xa0<br />
? exc_general_protection+0x144/0x220<br />
? asm_exc_general_protection+0x22/0x30<br />
? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]<br />
? __mutex_lock+0x128/0x1dd0<br />
? lockdep_set_lock_cmp_fn+0x190/0x190<br />
? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]<br />
? mutex_lock_io_nested+0x1ae0/0x1ae0<br />
? lock_acquire+0x1c2/0x530<br />
? macsec_upd_offload+0x145/0x380<br />
? lockdep_hardirqs_on_prepare+0x400/0x400<br />
? kasan_save_stack+0x30/0x40<br />
? kasan_save_stack+0x20/0x40<br />
? kasan_save_track+0x10/0x30<br />
? __kasan_kmalloc+0x77/0x90<br />
? __kmalloc_noprof+0x249/0x6b0<br />
? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240<br />
? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]<br />
mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]<br />
? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core]<br />
macsec_update_offload+0x26c/0x820<br />
? macsec_set_mac_address+0x4b0/0x4b0<br />
? lockdep_hardirqs_on_prepare+0x284/0x400<br />
? _raw_spin_unlock_irqrestore+0x47/0x50<br />
macsec_upd_offload+0x2c8/0x380<br />
? macsec_update_offload+0x820/0x820<br />
? __nla_parse+0x22/0x30<br />
? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240<br />
genl_family_rcv_msg_doit+0x1cc/0x2a0<br />
? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240<br />
? cap_capable+0xd4/0x330<br />
genl_rcv_msg+0x3ea/0x670<br />
? genl_family_rcv_msg_dumpit+0x2a0/0x2a0<br />
? lockdep_set_lock_cmp_fn+0x190/0x190<br />
? macsec_update_offload+0x820/0x820<br />
netlink_rcv_skb+0x12b/0x390<br />
? genl_family_rcv_msg_dumpit+0x2a0/0x2a0<br />
? netlink_ack+0xd80/0xd80<br />
? rwsem_down_read_slowpath+0xf90/0xf90<br />
? netlink_deliver_tap+0xcd/0xac0<br />
? netlink_deliver_tap+0x155/0xac0<br />
? _copy_from_iter+0x1bb/0x12c0<br />
genl_rcv+0x24/0x40<br />
netlink_unicast+0x440/0x700<br />
? netlink_attachskb+0x760/0x760<br />
? lock_acquire+0x1c2/0x530<br />
? __might_fault+0xbb/0x170<br />
netlink_sendmsg+0x749/0xc10<br />
? netlink_unicast+0x700/0x700<br />
? __might_fault+0xbb/0x170<br />
? netlink_unicast+0x700/0x700<br />
__sock_sendmsg+0xc5/0x190<br />
____sys_sendmsg+0x53f/0x760<br />
? import_iovec+0x7/0x10<br />
? kernel_sendmsg+0x30/0x30<br />
? __copy_msghdr+0x3c0/0x3c0<br />
? filter_irq_stacks+0x90/0x90<br />
? stack_depot_save_flags+0x28/0xa30<br />
___sys_sen<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1 (including) | 6.1.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.92 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.30 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.14.8 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1a69d53922c1221351739f17837d38e317234e5d
- https://git.kernel.org/stable/c/1e577aeb51e9deba4f2c10edfcb07cb3cb406598
- https://git.kernel.org/stable/c/1f80e6ff026041721d8089da8c269b1963628325
- https://git.kernel.org/stable/c/588431474eb7572e57a927fa8558c9ba2f8af143
- https://git.kernel.org/stable/c/b48a47e137cedfd79655accaeeea6b296ad0b9e1
- https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html