CVE-2025-38525

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc: Fix irq-disabled in local_bh_enable()<br /> <br /> The rxrpc_assess_MTU_size() function calls down into the IP layer to find<br /> out the MTU size for a route. When accepting an incoming call, this is<br /> called from rxrpc_new_incoming_call() which holds interrupts disabled<br /> across the code that calls down to it. Unfortunately, the IP layer uses<br /> local_bh_enable() which, config dependent, throws a warning if IRQs are<br /> enabled:<br /> <br /> WARNING: CPU: 1 PID: 5544 at kernel/softirq.c:387 __local_bh_enable_ip+0x43/0xd0<br /> ...<br /> RIP: 0010:__local_bh_enable_ip+0x43/0xd0<br /> ...<br /> Call Trace:<br /> <br /> rt_cache_route+0x7e/0xa0<br /> rt_set_nexthop.isra.0+0x3b3/0x3f0<br /> __mkroute_output+0x43a/0x460<br /> ip_route_output_key_hash+0xf7/0x140<br /> ip_route_output_flow+0x1b/0x90<br /> rxrpc_assess_MTU_size.isra.0+0x2a0/0x590<br /> rxrpc_new_incoming_peer+0x46/0x120<br /> rxrpc_alloc_incoming_call+0x1b1/0x400<br /> rxrpc_new_incoming_call+0x1da/0x5e0<br /> rxrpc_input_packet+0x827/0x900<br /> rxrpc_io_thread+0x403/0xb60<br /> kthread+0x2f7/0x310<br /> ret_from_fork+0x2a/0x230<br /> ret_from_fork_asm+0x1a/0x30<br /> ...<br /> hardirqs last enabled at (23): _raw_spin_unlock_irq+0x24/0x50<br /> hardirqs last disabled at (24): _raw_read_lock_irq+0x17/0x70<br /> softirqs last enabled at (0): copy_process+0xc61/0x2730<br /> softirqs last disabled at (25): rt_add_uncached_list+0x3c/0x90<br /> <br /> Fix this by moving the call to rxrpc_assess_MTU_size() out of<br /> rxrpc_init_peer() and further up the stack where it can be done without<br /> interrupts disabled.<br /> <br /> It shouldn&amp;#39;t be a problem for rxrpc_new_incoming_call() to do it after the<br /> locks are dropped as pmtud is going to be performed by the I/O thread - and<br /> we&amp;#39;re in the I/O thread at this point.