{"id":"CVE-2025-38165","summary":"bpf, sockmap: Fix panic when calling skb_linearize","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix panic when calling skb_linearize\n\nThe panic can be reproduced by executing the command:\n./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000\n\nThen a kernel panic was captured:\n'''\n[  657.460555] kernel BUG at net/core/skbuff.c:2178!\n[  657.462680] Tainted: [W]=WARN\n[  657.463287] Workqueue: events sk_psock_backlog\n...\n[  657.469610]  \u003cTASK\u003e\n[  657.469738]  ? die+0x36/0x90\n[  657.469916]  ? do_trap+0x1d0/0x270\n[  657.470118]  ? pskb_expand_head+0x612/0xf40\n[  657.470376]  ? pskb_expand_head+0x612/0xf40\n[  657.470620]  ? do_error_trap+0xa3/0x170\n[  657.470846]  ? pskb_expand_head+0x612/0xf40\n[  657.471092]  ? handle_invalid_op+0x2c/0x40\n[  657.471335]  ? pskb_expand_head+0x612/0xf40\n[  657.471579]  ? exc_invalid_op+0x2d/0x40\n[  657.471805]  ? asm_exc_invalid_op+0x1a/0x20\n[  657.472052]  ? pskb_expand_head+0xd1/0xf40\n[  657.472292]  ? pskb_expand_head+0x612/0xf40\n[  657.472540]  ? lock_acquire+0x18f/0x4e0\n[  657.472766]  ? find_held_lock+0x2d/0x110\n[  657.472999]  ? __pfx_pskb_expand_head+0x10/0x10\n[  657.473263]  ? __kmalloc_cache_noprof+0x5b/0x470\n[  657.473537]  ? __pfx___lock_release.isra.0+0x10/0x10\n[  657.473826]  __pskb_pull_tail+0xfd/0x1d20\n[  657.474062]  ? __kasan_slab_alloc+0x4e/0x90\n[  657.474707]  sk_psock_skb_ingress_enqueue+0x3bf/0x510\n[  657.475392]  ? __kasan_kmalloc+0xaa/0xb0\n[  657.476010]  sk_psock_backlog+0x5cf/0xd70\n[  657.476637]  process_one_work+0x858/0x1a20\n'''\n\nThe panic originates from the assertion BUG_ON(skb_shared(skb)) in\nskb_linearize(). A previous commit(see Fixes tag) introduced skb_get()\nto avoid race conditions between skb operations in the backlog and skb\nrelease in the recvmsg path. However, this caused the panic to always\noccur when skb_linearize is executed.\n\nThe \"--rx-strp 100000\" parameter forces the RX path to use the strparser\nmodule which aggregates data until it reaches 100KB before calling sockmap\nlogic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.\n\nTo fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.\n\n'''\nsk_psock_backlog:\n    sk_psock_handle_skb\n       skb_get(skb) \u003c== we move it into 'sk_psock_skb_ingress_enqueue'\n       sk_psock_skb_ingress____________\n                                       ↓\n                                       |\n                                       | → sk_psock_skb_ingress_self\n                                       |      sk_psock_skb_ingress_enqueue\nsk_psock_verdict_apply_________________↑          skb_linearize\n'''\n\nNote that for verdict_apply path, the skb_get operation is unnecessary so\nwe add 'take_ref' param to control it's behavior.","modified":"2026-04-16T04:40:22.245670723Z","published":"2025-07-03T08:36:05.738Z","related":["SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38165.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3d25fa2d7f127348c818e1dab9e58534f7ac56cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4dba44333a11522df54b49aa1f2edfaf6ce35fc7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9718ba6490732dbe70190d42c21deb1440834402"},{"type":"WEB","url":"https://git.kernel.org/stable/c/db1d15a26f21f97459508c42ae87cabe8d3afc3b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e9c1299d813fc04668042690f2c3cc76d013959a"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38165.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38165"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"65ad600b9bde68d2d28709943ab00b51ca8f0a1d"},{"fixed":"4dba44333a11522df54b49aa1f2edfaf6ce35fc7"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"923877254f002ae87d441382bb1096d9e773d56d"},{"fixed":"9718ba6490732dbe70190d42c21deb1440834402"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a454d84ee20baf7bd7be90721b9821f73c7d23d9"},{"fixed":"db1d15a26f21f97459508c42ae87cabe8d3afc3b"},{"fixed":"3d25fa2d7f127348c818e1dab9e58534f7ac56cc"},{"fixed":"e9c1299d813fc04668042690f2c3cc76d013959a"},{"fixed":"5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"e6b5e47adb9166e732cdf7e6e034946e3f89f36d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38165.json"}}],"schema_version":"1.7.5"}