CVE-2025-38590

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Remove skb secpath if xfrm state is not found<br /> <br /> Hardware returns a unique identifier for a decrypted packet&amp;#39;s xfrm<br /> state, this state is looked up in an xarray. However, the state might<br /> have been freed by the time of this lookup.<br /> <br /> Currently, if the state is not found, only a counter is incremented.<br /> The secpath (sp) extension on the skb is not removed, resulting in<br /> sp-&gt;len becoming 0.<br /> <br /> Subsequently, functions like __xfrm_policy_check() attempt to access<br /> fields such as xfrm_input_state(skb)-&gt;xso.type (which dereferences<br /> sp-&gt;xvec[sp-&gt;len - 1]) without first validating sp-&gt;len. This leads to<br /> a crash when dereferencing an invalid state pointer.<br /> <br /> This patch prevents the crash by explicitly removing the secpath<br /> extension from the skb if the xfrm state is not found after hardware<br /> decryption. This ensures downstream functions do not operate on a<br /> zero-length secpath.<br /> <br /> BUG: unable to handle page fault for address: ffffffff000002c8<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 282e067 P4D 282e067 PUD 0<br /> Oops: Oops: 0000 [#1] SMP<br /> CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:__xfrm_policy_check+0x61a/0xa30<br /> Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa<br /> RSP: 0018:ffff88885fb04918 EFLAGS: 00010297<br /> RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000<br /> RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000<br /> RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353<br /> R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8<br /> R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00<br /> FS: 0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? try_to_wake_up+0x108/0x4c0<br /> ? udp4_lib_lookup2+0xbe/0x150<br /> ? udp_lib_lport_inuse+0x100/0x100<br /> ? __udp4_lib_lookup+0x2b0/0x410<br /> __xfrm_policy_check2.constprop.0+0x11e/0x130<br /> udp_queue_rcv_one_skb+0x1d/0x530<br /> udp_unicast_rcv_skb+0x76/0x90<br /> __udp4_lib_rcv+0xa64/0xe90<br /> ip_protocol_deliver_rcu+0x20/0x130<br /> ip_local_deliver_finish+0x75/0xa0<br /> ip_local_deliver+0xc1/0xd0<br /> ? ip_protocol_deliver_rcu+0x130/0x130<br /> ip_sublist_rcv+0x1f9/0x240<br /> ? ip_rcv_finish_core+0x430/0x430<br /> ip_list_rcv+0xfc/0x130<br /> __netif_receive_skb_list_core+0x181/0x1e0<br /> netif_receive_skb_list_internal+0x200/0x360<br /> ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core]<br /> gro_receive_skb+0xfd/0x210<br /> mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core]<br /> mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core]<br /> ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core]<br /> mlx5e_napi_poll+0x114/0xab0 [mlx5_core]<br /> __napi_poll+0x25/0x170<br /> net_rx_action+0x32d/0x3a0<br /> ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core]<br /> ? notifier_call_chain+0x33/0xa0<br /> handle_softirqs+0xda/0x250<br /> irq_exit_rcu+0x6d/0xc0<br /> common_interrupt+0x81/0xa0<br />