CVE-2025-21674

{"id": "CVE-2025-21674", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-01-31T12:15:28.560", "references": [{"url": "https://git.kernel.org/stable/c/2c3688090f8a1f085230aa839cc63e4a7b977df0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6d3d69c070d920fbb146d73dd3899a50f25d0901", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/87c4417a902151cfe4363166245a3671a08c256c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-667"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel\n\nAttempt to enable IPsec packet offload in tunnel mode in debug kernel\ngenerates the following kernel panic, which is happening due to two\nissues:\n1. In SA add section, the should be _bh() variant when marking SA mode.\n2. There is not needed flush_workqueue in SA delete routine. It is not\nneeded as at this stage as it is removed from SADB and the running work\nwill be canceled later in SA free.\n\n =====================================================\n WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected\n 6.12.0+ #4 Not tainted\n -----------------------------------------------------\n charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire:\n ffff88810f365020 (&xa->xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core]\n\n and this task is already holding:\n ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n which would create a new lock dependency:\n (&x->lock){+.-.}-{3:3} -> (&xa->xa_lock#24){+.+.}-{3:3}\n\n but this new dependency connects a SOFTIRQ-irq-safe lock:\n (&x->lock){+.-.}-{3:3}\n\n ... which became SOFTIRQ-irq-safe at:\n lock_acquire+0x1be/0x520\n _raw_spin_lock_bh+0x34/0x40\n xfrm_timer_handler+0x91/0xd70\n __hrtimer_run_queues+0x1dd/0xa60\n hrtimer_run_softirq+0x146/0x2e0\n handle_softirqs+0x266/0x860\n irq_exit_rcu+0x115/0x1a0\n sysvec_apic_timer_interrupt+0x6e/0x90\n asm_sysvec_apic_timer_interrupt+0x16/0x20\n default_idle+0x13/0x20\n default_idle_call+0x67/0xa0\n do_idle+0x2da/0x320\n cpu_startup_entry+0x50/0x60\n start_secondary+0x213/0x2a0\n common_startup_64+0x129/0x138\n\n to a SOFTIRQ-irq-unsafe lock:\n (&xa->xa_lock#24){+.+.}-{3:3}\n\n ... which became SOFTIRQ-irq-unsafe at:\n ...\n lock_acquire+0x1be/0x520\n _raw_spin_lock+0x2c/0x40\n xa_set_mark+0x70/0x110\n mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core]\n xfrm_dev_state_add+0x3bb/0xd70\n xfrm_add_sa+0x2451/0x4a90\n xfrm_user_rcv_msg+0x493/0x880\n netlink_rcv_skb+0x12e/0x380\n xfrm_netlink_rcv+0x6d/0x90\n netlink_unicast+0x42f/0x740\n netlink_sendmsg+0x745/0xbe0\n __sock_sendmsg+0xc5/0x190\n __sys_sendto+0x1fe/0x2c0\n __x64_sys_sendto+0xdc/0x1b0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n other info that might help us debug this:\n\n Possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&xa->xa_lock#24);\n local_irq_disable();\n lock(&x->lock);\n lock(&xa->xa_lock#24);\n <Interrupt>\n lock(&x->lock);\n\n *** DEADLOCK ***\n\n 2 locks held by charon/1337:\n #0: ffffffff87f8f858 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90\n #1: ffff88813e0f0d48 (&x->lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n\n the dependencies between SOFTIRQ-irq-safe lock and the holding lock:\n -> (&x->lock){+.-.}-{3:3} ops: 29 {\n HARDIRQ-ON-W at:\n lock_acquire+0x1be/0x520\n _raw_spin_lock_bh+0x34/0x40\n xfrm_alloc_spi+0xc0/0xe60\n xfrm_alloc_userspi+0x5f6/0xbc0\n xfrm_user_rcv_msg+0x493/0x880\n netlink_rcv_skb+0x12e/0x380\n xfrm_netlink_rcv+0x6d/0x90\n netlink_unicast+0x42f/0x740\n netlink_sendmsg+0x745/0xbe0\n __sock_sendmsg+0xc5/0x190\n __sys_sendto+0x1fe/0x2c0\n __x64_sys_sendto+0xdc/0x1b0\n do_syscall_64+0x6d/0x140\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n IN-SOFTIRQ-W at:\n lock_acquire+0x1be/0x520\n _raw_spin_lock_bh+0x34/0x40\n xfrm_timer_handler+0x91/0xd70\n __hrtimer_run_queues+0x1dd/0xa60\n \n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: Se corrige la advertencia de dependencia de inversi\u00f3n al habilitar el t\u00fanel IPsec El intento de habilitar la descarga de paquetes IPsec en modo t\u00fanel en el kernel de depuraci\u00f3n genera el siguiente p\u00e1nico del kernel, que ocurre debido a dos problemas: 1. En la secci\u00f3n de adici\u00f3n de SA, deber\u00eda ser la variante _bh() al marcar el modo SA. 2. No se necesita flush_workqueue en la rutina de eliminaci\u00f3n de SA. No es necesario en esta etapa, ya que se elimina de SADB y el trabajo en ejecuci\u00f3n se cancelar\u00e1 m\u00e1s tarde en la liberaci\u00f3n de SA. ======================================================== ADVERTENCIA: Se detect\u00f3 orden de bloqueo SOFTIRQ-safe -&gt; SOFTIRQ-unsafe 6.12.0+ #4 No contaminado -----------------------------------------------------charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire: ffff88810f365020 (&amp;xa-&gt;xa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core] and this task is already holding: ffff88813e0f0d48 (&amp;x-&gt;lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 which would create a new lock dependency: (&amp;x-&gt;lock){+.-.}-{3:3} -&gt; (&amp;xa-&gt;xa_lock#24){+.+.}-{3:3} but this new dependency connects a SOFTIRQ-irq-safe lock: (&amp;x-&gt;lock){+.-.}-{3:3} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 hrtimer_run_softirq+0x146/0x2e0 handle_softirqs+0x266/0x860 irq_exit_rcu+0x115/0x1a0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 default_idle+0x13/0x20 default_idle_call+0x67/0xa0 do_idle+0x2da/0x320 cpu_startup_entry+0x50/0x60 start_secondary+0x213/0x2a0 common_startup_64+0x129/0x138 to a SOFTIRQ-irq-unsafe lock: (&amp;xa-&gt;xa_lock#24){+.+.}-{3:3} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x1be/0x520 _raw_spin_lock+0x2c/0x40 xa_set_mark+0x70/0x110 mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core] xfrm_dev_state_add+0x3bb/0xd70 xfrm_add_sa+0x2451/0x4a90 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&amp;xa-&gt;xa_lock#24); local_irq_disable(); lock(&amp;x-&gt;lock); lock(&amp;xa-&gt;xa_lock#24); lock(&amp;x-&gt;lock); *** DEADLOCK *** 2 locks held by charon/1337: #0: ffffffff87f8f858 (&amp;net-&gt;xfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90 #1: ffff88813e0f0d48 (&amp;x-&gt;lock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -&gt; (&amp;x-&gt;lock){+.-.}-{3:3} ops: 29 { HARDIRQ-ON-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_alloc_spi+0xc0/0xe60 xfrm_alloc_userspi+0x5f6/0xbc0 xfrm_user_rcv_msg+0x493/0x880 netlink_rcv_skb+0x12e/0x380 xfrm_netlink_rcv+0x6d/0x90 netlink_unicast+0x42f/0x740 netlink_sendmsg+0x745/0xbe0 __sock_sendmsg+0xc5/0x190 __sys_sendto+0x1fe/0x2c0 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 IN-SOFTIRQ-W at: lock_acquire+0x1be/0x520 _raw_spin_lock_bh+0x34/0x40 xfrm_timer_handler+0x91/0xd70 __hrtimer_run_queues+0x1dd/0xa60 ---truncated--- "}], "lastModified": "2025-02-04T15:31:30.483", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BE232AC-5A0F-4273-8CB5-7767FDE5879E", "versionEndExcluding": "6.6.74", "versionStartIncluding": "6.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7D0DBC3-F63C-4396-8A47-6F3D4FA0556E", "versionEndExcluding": "6.12.11", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DFCDFB8-4FD0-465A-9076-D813D78FE51B"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}