Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com

CVE-2025-38440

Description

In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Fix race between DIM disable and net_dim()There's a race between disabling DIM and NAPI callbacks using the dimpointer on the RQ or SQ.If NAPI checks the DIM state bit and sees it still set, it assumes`rq->dim` or `sq->dim` is valid. But if DIM gets disabled right afterthat check, the pointer might already be set to NULL, leading to a NULLpointer dereference in net_dim().Fix this by calling `synchronize_net()` before freeing the DIM context.This ensures all in-progress NAPI callbacks are finished before thepointer is cleared.Kernel log:BUG: kernel NULL pointer dereference, address: 0000000000000000...RIP: 0010:net_dim+0x23/0x190...Call Trace: ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? common_interrupt+0xf/0xa0 ? sysvec_call_function_single+0xb/0x90 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? net_dim+0x23/0x190 ? mlx5e_poll_ico_cq+0x41/0x6f0 [mlx5_core] ? sysvec_apic_timer_interrupt+0xb/0x90 mlx5e_handle_rx_dim+0x92/0xd0 [mlx5_core] mlx5e_napi_poll+0x2cd/0xac0 [mlx5_core] ? mlx5e_poll_ico_cq+0xe5/0x6f0 [mlx5_core] busy_poll_stop+0xa2/0x200 ? mlx5e_napi_poll+0x1d9/0xac0 [mlx5_core] ? mlx5e_trigger_irq+0x130/0x130 [mlx5_core] __napi_busy_loop+0x345/0x3b0 ? sysvec_call_function_single+0xb/0x90 ? asm_sysvec_call_function_single+0x16/0x20 ? sysvec_apic_timer_interrupt+0xb/0x90 ? pcpu_free_area+0x1e4/0x2e0 napi_busy_loop+0x11/0x20 xsk_recvmsg+0x10c/0x130 sock_recvmsg+0x44/0x70 __sys_recvfrom+0xbc/0x130 ? __schedule+0x398/0x890 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53...---[ end trace 0000000000000000 ]---...---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

CVE-2025-38440

Description

POC

Reference

Github