fkie_cve-2025-21868
Vulnerability from fkie_nvd
Published
2025-03-27 14:15
Modified
2025-03-27 16:45
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: allow small head cache usage with large MAX_SKB_FRAGS values Sabrina reported the following splat: WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0 Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48 RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6 RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168 R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> gro_cells_init+0x1ba/0x270 xfrm_input_init+0x4b/0x2a0 xfrm_init+0x38/0x50 ip_rt_init+0x2d7/0x350 ip_init+0xf/0x20 inet_init+0x406/0x590 do_one_initcall+0x9d/0x2e0 do_initcalls+0x23b/0x280 kernel_init_freeable+0x445/0x490 kernel_init+0x20/0x1d0 ret_from_fork+0x46/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 584330 hardirqs last enabled at (584338): [<ffffffff8168bf87>] __up_console_sem+0x77/0xb0 hardirqs last disabled at (584345): [<ffffffff8168bf6c>] __up_console_sem+0x5c/0xb0 softirqs last enabled at (583242): [<ffffffff833ee96d>] netlink_insert+0x14d/0x470 softirqs last disabled at (583754): [<ffffffff8317c8cd>] netif_napi_add_weight_locked+0x77d/0xba0 on kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024) is smaller than GRO_MAX_HEAD. Such built additionally contains the revert of the single page frag cache so that napi_get_frags() ends up using the page frag allocator, triggering the splat. Note that the underlying issue is independent from the mentioned revert; address it ensuring that the small head cache will fit either TCP and GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb() to select kmalloc() usage for any allocation fitting such cache.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/14ad6ed30a10afbe91b0749d6378285f4225d482
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/648e440c98e260dec835e48a5d7a9993477b1f9d
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ed0ca7d2127c63991cfaf1932b827e3f4f8ee480
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: allow small head cache usage with large MAX_SKB_FRAGS values\n\nSabrina reported the following splat:\n\n    WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0\n    Modules linked in:\n    CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n    RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0\n    Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe \u003c0f\u003e 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48\n    RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293\n    RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e\n    RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6\n    RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c\n    R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168\n    R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007\n    FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0\n    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n    Call Trace:\n    \u003cTASK\u003e\n    gro_cells_init+0x1ba/0x270\n    xfrm_input_init+0x4b/0x2a0\n    xfrm_init+0x38/0x50\n    ip_rt_init+0x2d7/0x350\n    ip_init+0xf/0x20\n    inet_init+0x406/0x590\n    do_one_initcall+0x9d/0x2e0\n    do_initcalls+0x23b/0x280\n    kernel_init_freeable+0x445/0x490\n    kernel_init+0x20/0x1d0\n    ret_from_fork+0x46/0x80\n    ret_from_fork_asm+0x1a/0x30\n    \u003c/TASK\u003e\n    irq event stamp: 584330\n    hardirqs last  enabled at (584338): [\u003cffffffff8168bf87\u003e] __up_console_sem+0x77/0xb0\n    hardirqs last disabled at (584345): [\u003cffffffff8168bf6c\u003e] __up_console_sem+0x5c/0xb0\n    softirqs last  enabled at (583242): [\u003cffffffff833ee96d\u003e] netlink_insert+0x14d/0x470\n    softirqs last disabled at (583754): [\u003cffffffff8317c8cd\u003e] netif_napi_add_weight_locked+0x77d/0xba0\n\non kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024)\nis smaller than GRO_MAX_HEAD.\n\nSuch built additionally contains the revert of the single page frag cache\nso that napi_get_frags() ends up using the page frag allocator, triggering\nthe splat.\n\nNote that the underlying issue is independent from the mentioned\nrevert; address it ensuring that the small head cache will fit either TCP\nand GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb()\nto select kmalloc() usage for any allocation fitting such cache."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: permite el uso de cach\u00e9 de cabeza peque\u00f1a con valores MAX_SKB_FRAGS grandes Sabrina inform\u00f3 el siguiente splat: ADVERTENCIA: CPU: 0 PID: 1 en net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0 M\u00f3dulos vinculados: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 No contaminado 6.14.0-rc1-net-00092-g011b03359038 #996 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0 C\u00f3digo: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe \u0026lt;0f\u0026gt; 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48 RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6 RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168 R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Rastreo de llamadas:  gro_cells_init+0x1ba/0x270 xfrm_input_init+0x4b/0x2a0 xfrm_init+0x38/0x50 ip_rt_init+0x2d7/0x350 ip_init+0xf/0x20 inet_init+0x406/0x590 do_one_initcall+0x9d/0x2e0 do_initcalls+0x23b/0x280 kernel_init_freeable+0x445/0x490 kernel_init+0x20/0x1d0 ret_from_fork+0x46/0x80 ret_from_fork_asm+0x1a/0x30  marca de evento de irq: 584330 hardirqs habilitados por \u00faltima vez en (584338): [] __up_console_sem+0x77/0xb0 hardirqs deshabilitados por \u00faltima vez en (584345): [] __up_console_sem+0x5c/0xb0 softirqs habilitados por \u00faltima vez en (583242): [] netlink_insert+0x14d/0x470 softirqs deshabilitados por \u00faltima vez en (583754): [] netif_napi_add_weight_locked+0x77d/0xba0 en el kernel creado con MAX_SKB_FRAGS=45, donde SKB_WITH_OVERHEAD(1024) es menor que GRO_MAX_HEAD. Esta compilaci\u00f3n tambi\u00e9n incluye la reversi\u00f3n de la cach\u00e9 de fragmentos de p\u00e1gina \u00fanica, de modo que napi_get_frags() termine usando el asignador de fragmentos de p\u00e1gina, lo que activa el splat. Tenga en cuenta que el problema subyacente es independiente de la reversi\u00f3n mencionada; ab\u00f3rdelo asegurando que la cach\u00e9 de encabezado peque\u00f1o se ajuste a la asignaci\u00f3n TCP y GRO, y actualizando napi_alloc_skb() y __netdev_alloc_skb() para seleccionar el uso de kmalloc() para cualquier asignaci\u00f3n que se ajuste a dicha cach\u00e9."
    }
  ],
  "id": "CVE-2025-21868",
  "lastModified": "2025-03-27T16:45:12.210",
  "metrics": {},
  "published": "2025-03-27T14:15:47.873",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/14ad6ed30a10afbe91b0749d6378285f4225d482"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/648e440c98e260dec835e48a5d7a9993477b1f9d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ed0ca7d2127c63991cfaf1932b827e3f4f8ee480"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.