{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38165","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.991Z","datePublished":"2025-07-03T08:36:05.738Z","dateUpdated":"2026-05-11T21:22:31.183Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:22:31.183Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix panic when calling skb_linearize\n\nThe panic can be reproduced by executing the command:\n./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000\n\nThen a kernel panic was captured:\n'''\n[  657.460555] kernel BUG at net/core/skbuff.c:2178!\n[  657.462680] Tainted: [W]=WARN\n[  657.463287] Workqueue: events sk_psock_backlog\n...\n[  657.469610]  <TASK>\n[  657.469738]  ? die+0x36/0x90\n[  657.469916]  ? do_trap+0x1d0/0x270\n[  657.470118]  ? pskb_expand_head+0x612/0xf40\n[  657.470376]  ? pskb_expand_head+0x612/0xf40\n[  657.470620]  ? do_error_trap+0xa3/0x170\n[  657.470846]  ? pskb_expand_head+0x612/0xf40\n[  657.471092]  ? handle_invalid_op+0x2c/0x40\n[  657.471335]  ? pskb_expand_head+0x612/0xf40\n[  657.471579]  ? exc_invalid_op+0x2d/0x40\n[  657.471805]  ? asm_exc_invalid_op+0x1a/0x20\n[  657.472052]  ? pskb_expand_head+0xd1/0xf40\n[  657.472292]  ? pskb_expand_head+0x612/0xf40\n[  657.472540]  ? lock_acquire+0x18f/0x4e0\n[  657.472766]  ? find_held_lock+0x2d/0x110\n[  657.472999]  ? __pfx_pskb_expand_head+0x10/0x10\n[  657.473263]  ? __kmalloc_cache_noprof+0x5b/0x470\n[  657.473537]  ? __pfx___lock_release.isra.0+0x10/0x10\n[  657.473826]  __pskb_pull_tail+0xfd/0x1d20\n[  657.474062]  ? __kasan_slab_alloc+0x4e/0x90\n[  657.474707]  sk_psock_skb_ingress_enqueue+0x3bf/0x510\n[  657.475392]  ? __kasan_kmalloc+0xaa/0xb0\n[  657.476010]  sk_psock_backlog+0x5cf/0xd70\n[  657.476637]  process_one_work+0x858/0x1a20\n'''\n\nThe panic originates from the assertion BUG_ON(skb_shared(skb)) in\nskb_linearize(). A previous commit(see Fixes tag) introduced skb_get()\nto avoid race conditions between skb operations in the backlog and skb\nrelease in the recvmsg path. However, this caused the panic to always\noccur when skb_linearize is executed.\n\nThe \"--rx-strp 100000\" parameter forces the RX path to use the strparser\nmodule which aggregates data until it reaches 100KB before calling sockmap\nlogic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.\n\nTo fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.\n\n'''\nsk_psock_backlog:\n    sk_psock_handle_skb\n       skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'\n       sk_psock_skb_ingress____________\n                                       ↓\n                                       |\n                                       | → sk_psock_skb_ingress_self\n                                       |      sk_psock_skb_ingress_enqueue\nsk_psock_verdict_apply_________________↑          skb_linearize\n'''\n\nNote that for verdict_apply path, the skb_get operation is unnecessary so\nwe add 'take_ref' param to control it's behavior."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/skmsg.c"],"versions":[{"version":"65ad600b9bde68d2d28709943ab00b51ca8f0a1d","lessThan":"4dba44333a11522df54b49aa1f2edfaf6ce35fc7","status":"affected","versionType":"git"},{"version":"923877254f002ae87d441382bb1096d9e773d56d","lessThan":"9718ba6490732dbe70190d42c21deb1440834402","status":"affected","versionType":"git"},{"version":"a454d84ee20baf7bd7be90721b9821f73c7d23d9","lessThan":"db1d15a26f21f97459508c42ae87cabe8d3afc3b","status":"affected","versionType":"git"},{"version":"a454d84ee20baf7bd7be90721b9821f73c7d23d9","lessThan":"3d25fa2d7f127348c818e1dab9e58534f7ac56cc","status":"affected","versionType":"git"},{"version":"a454d84ee20baf7bd7be90721b9821f73c7d23d9","lessThan":"e9c1299d813fc04668042690f2c3cc76d013959a","status":"affected","versionType":"git"},{"version":"a454d84ee20baf7bd7be90721b9821f73c7d23d9","lessThan":"5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e","status":"affected","versionType":"git"},{"version":"e6b5e47adb9166e732cdf7e6e034946e3f89f36d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/skmsg.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"5.15.190","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.94","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.34","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.3","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.189","versionEndExcluding":"5.15.190"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.54","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.12.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.15.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/4dba44333a11522df54b49aa1f2edfaf6ce35fc7"},{"url":"https://git.kernel.org/stable/c/9718ba6490732dbe70190d42c21deb1440834402"},{"url":"https://git.kernel.org/stable/c/db1d15a26f21f97459508c42ae87cabe8d3afc3b"},{"url":"https://git.kernel.org/stable/c/3d25fa2d7f127348c818e1dab9e58534f7ac56cc"},{"url":"https://git.kernel.org/stable/c/e9c1299d813fc04668042690f2c3cc76d013959a"},{"url":"https://git.kernel.org/stable/c/5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e"}],"title":"bpf, sockmap: Fix panic when calling skb_linearize","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:34:54.924Z"}}]}}