CVE-2025-38640

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Disable migration in nf_hook_run_bpf().<br /> <br /> syzbot reported that the netfilter bpf prog can be called without<br /> migration disabled in xmit path.<br /> <br /> Then the assertion in __bpf_prog_run() fails, triggering the splat<br /> below. [0]<br /> <br /> Let&amp;#39;s use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf().<br /> <br /> [0]:<br /> BUG: assuming non migratable context at ./include/linux/filter.h:703<br /> in_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session<br /> 3 locks held by sshd-session/5829:<br /> #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline]<br /> #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395<br /> #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]<br /> #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]<br /> #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470<br /> #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]<br /> #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]<br /> #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241<br /> CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120<br /> __cant_migrate kernel/sched/core.c:8860 [inline]<br /> __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834<br /> __bpf_prog_run include/linux/filter.h:703 [inline]<br /> bpf_prog_run include/linux/filter.h:725 [inline]<br /> nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20<br /> nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]<br /> nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623<br /> nf_hook+0x370/0x680 include/linux/netfilter.h:272<br /> NF_HOOK_COND include/linux/netfilter.h:305 [inline]<br /> ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433<br /> dst_output include/net/dst.h:459 [inline]<br /> ip_local_out net/ipv4/ip_output.c:129 [inline]<br /> __ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527<br /> __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479<br /> tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline]<br /> tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838<br /> __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021<br /> tcp_push+0x225/0x700 net/ipv4/tcp.c:759<br /> tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359<br /> tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396<br /> inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851<br /> sock_sendmsg_nosec net/socket.c:712 [inline]<br /> __sock_sendmsg net/socket.c:727 [inline]<br /> sock_write_iter+0x4aa/0x5b0 net/socket.c:1131<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x6c7/0x1150 fs/read_write.c:686<br /> ksys_write+0x1f8/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7fe7d365d407<br /> Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff<br /> RSP: