{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-21674","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.736Z","datePublished":"2025-01-31T11:25:36.661Z","dateUpdated":"2025-10-01T19:57:11.871Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:18:48.100Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel\n\nAttempt to enable IPsec packet offload in tunnel mode in debug kernel\ngenerates the following kernel panic, which is happening due to two\nissues:\n1. In SA add section, the should be _bh() variant when marking SA mode.\n2. There is not needed flush_workqueue in SA delete routine. It is not\nneeded as at this stage as it is removed from SADB and the running work\nwill be canceled later in SA free.\n\n =====================================================\n WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected\n 6.12.0+ #4 Not tainted\n -----------------------------------------------------\n charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire:\n ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core]\n\n and this task is already holding:\n ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n which would create a new lock dependency:\n  (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3}\n\n but this new dependency connects a SOFTIRQ-irq-safe lock:\n  (&x->lock){+.-.}-{3:3}\n\n ... which became SOFTIRQ-irq-safe at:\n   lock_acquire+0x1be/0x520\n   _raw_spin_lock_bh+0x34/0x40\n   xfrm_timer_handler+0x91/0xd70\n   __hrtimer_run_queues+0x1dd/0xa60\n   hrtimer_run_softirq+0x146/0x2e0\n   handle_softirqs+0x266/0x860\n   irq_exit_rcu+0x115/0x1a0\n   sysvec_apic_timer_interrupt+0x6e/0x90\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n   default_idle+0x13/0x20\n   default_idle_call+0x67/0xa0\n   do_idle+0x2da/0x320\n   cpu_startup_entry+0x50/0x60\n   start_secondary+0x213/0x2a0\n   common_startup_64+0x129/0x138\n\n to a SOFTIRQ-irq-unsafe lock:\n  (&xa->xa_lock#24){+.+.}-{3:3}\n\n ... which became SOFTIRQ-irq-unsafe at:\n ...\n   lock_acquire+0x1be/0x520\n   _raw_spin_lock+0x2c/0x40\n   xa_set_mark+0x70/0x110\n   mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core]\n   xfrm_dev_state_add+0x3bb/0xd70\n   xfrm_add_sa+0x2451/0x4a90\n   xfrm_user_rcv_msg+0x493/0x880\n   netlink_rcv_skb+0x12e/0x380\n   xfrm_netlink_rcv+0x6d/0x90\n   netlink_unicast+0x42f/0x740\n   netlink_sendmsg+0x745/0xbe0\n   __sock_sendmsg+0xc5/0x190\n   __sys_sendto+0x1fe/0x2c0\n   __x64_sys_sendto+0xdc/0x1b0\n   do_syscall_64+0x6d/0x140\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n other info that might help us debug this:\n\n  Possible interrupt unsafe locking scenario:\n\n        CPU0                    CPU1\n        ----                    ----\n   lock(&xa->xa_lock#24);\n                                local_irq_disable();\n                                lock(&x->lock);\n                                lock(&xa->xa_lock#24);\n   <Interrupt>\n     lock(&x->lock);\n\n  *** DEADLOCK ***\n\n 2 locks held by charon/1337:\n  #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90\n  #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n\n the dependencies between SOFTIRQ-irq-safe lock and the holding lock:\n -> (&x->lock){+.-.}-{3:3} ops: 29 {\n    HARDIRQ-ON-W at:\n                     lock_acquire+0x1be/0x520\n                     _raw_spin_lock_bh+0x34/0x40\n                     xfrm_alloc_spi+0xc0/0xe60\n                     xfrm_alloc_userspi+0x5f6/0xbc0\n                     xfrm_user_rcv_msg+0x493/0x880\n                     netlink_rcv_skb+0x12e/0x380\n                     xfrm_netlink_rcv+0x6d/0x90\n                     netlink_unicast+0x42f/0x740\n                     netlink_sendmsg+0x745/0xbe0\n                     __sock_sendmsg+0xc5/0x190\n                     __sys_sendto+0x1fe/0x2c0\n                     __x64_sys_sendto+0xdc/0x1b0\n                     do_syscall_64+0x6d/0x140\n                     entry_SYSCALL_64_after_hwframe+0x4b/0x53\n    IN-SOFTIRQ-W at:\n                     lock_acquire+0x1be/0x520\n                     _raw_spin_lock_bh+0x34/0x40\n                     xfrm_timer_handler+0x91/0xd70\n                     __hrtimer_run_queues+0x1dd/0xa60\n   \n---truncated---"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c"],"versions":[{"version":"4c24272b4e2befca6ad1409c3c9aaa16c24b1099","lessThan":"87c4417a902151cfe4363166245a3671a08c256c","status":"affected","versionType":"git"},{"version":"4c24272b4e2befca6ad1409c3c9aaa16c24b1099","lessThan":"6d3d69c070d920fbb146d73dd3899a50f25d0901","status":"affected","versionType":"git"},{"version":"4c24272b4e2befca6ad1409c3c9aaa16c24b1099","lessThan":"2c3688090f8a1f085230aa839cc63e4a7b977df0","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c"],"versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","status":"unaffected","versionType":"semver"},{"version":"6.6.74","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.11","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.6.74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.12.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/87c4417a902151cfe4363166245a3671a08c256c"},{"url":"https://git.kernel.org/stable/c/6d3d69c070d920fbb146d73dd3899a50f25d0901"},{"url":"https://git.kernel.org/stable/c/2c3688090f8a1f085230aa839cc63e4a7b977df0"}],"title":"net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-21674","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T19:52:04.971447Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-667","description":"CWE-667 Improper Locking"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T19:57:11.871Z"}}]}}