{"id":"CVE-2025-21852","summary":"net: Add rx_skb of kfree_skb to raw_tp_null_args[].","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: Add rx_skb of kfree_skb to raw_tp_null_args[].\n\nYan Zhai reported a BPF prog could trigger a null-ptr-deref [0]\nin trace_kfree_skb if the prog does not check if rx_sk is NULL.\n\nCommit c53795d48ee8 (\"net: add rx_sk to trace_kfree_skb\") added\nrx_sk to trace_kfree_skb, but rx_sk is optional and could be NULL.\n\nLet's add kfree_skb to raw_tp_null_args[] to let the BPF verifier\nvalidate such a prog and prevent the issue.\n\nNow we fail to load such a prog:\n\n  libbpf: prog 'drop': -- BEGIN PROG LOAD LOG --\n  0: R1=ctx() R10=fp0\n  ; int BPF_PROG(drop, struct sk_buff *skb, void *location, @ kfree_skb_sk_null.bpf.c:21\n  0: (79) r3 = *(u64 *)(r1 +24)\n  func 'kfree_skb' arg3 has btf_id 5253 type STRUCT 'sock'\n  1: R1=ctx() R3_w=trusted_ptr_or_null_sock(id=1)\n  ; bpf_printk(\"sk: %d, %d\\n\", sk, sk-\u003e__sk_common.skc_family); @ kfree_skb_sk_null.bpf.c:24\n  1: (69) r4 = *(u16 *)(r3 +16)\n  R3 invalid mem access 'trusted_ptr_or_null_'\n  processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0\n  -- END PROG LOAD LOG --\n\nNote this fix requires commit 838a10bd2ebf (\"bpf: Augment raw_tp\narguments with PTR_MAYBE_NULL\").\n\n[0]:\nBUG: kernel NULL pointer dereference, address: 0000000000000010\n PF: supervisor read access in kernel mode\n PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP\nRIP: 0010:bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x1f/0x60\n ? page_fault_oops+0x148/0x420\n ? search_bpf_extables+0x5b/0x70\n ? fixup_exception+0x27/0x2c0\n ? exc_page_fault+0x75/0x170\n ? asm_exc_page_fault+0x22/0x30\n ? bpf_prog_5e21a6db8fcff1aa_drop+0x10/0x2d\n bpf_trace_run4+0x68/0xd0\n ? unix_stream_connect+0x1f4/0x6f0\n sk_skb_reason_drop+0x90/0x120\n unix_stream_connect+0x1f4/0x6f0\n __sys_connect+0x7f/0xb0\n __x64_sys_connect+0x14/0x20\n do_syscall_64+0x47/0xc30\n entry_SYSCALL_64_after_hwframe+0x4b/0x53","modified":"2026-04-02T12:45:15.185352Z","published":"2025-03-12T09:42:07.175Z","related":["SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1","USN-7521-2"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21852.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4dba79c1e7aad6620bbb707b6c4459380fd90860"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5da7e15fb5a12e78de974d8908f348e279922ce9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f579afacd0a66971fc8481f30d2d377e230a8342"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21852.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21852"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c53795d48ee8f385c6a9e394651e7ee914baaeba"},{"fixed":"f579afacd0a66971fc8481f30d2d377e230a8342"},{"fixed":"4dba79c1e7aad6620bbb707b6c4459380fd90860"},{"fixed":"5da7e15fb5a12e78de974d8908f348e279922ce9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21852.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}