CVE-2025-68341

Summary

In the Linux kernel, the following vulnerability has been resolved:

veth: reduce XDP no_direct return section to fix race

As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing old or uninitialized descriptors") for veth there is a chance after napi_complete_done() that another CPU can manage start another NAPI instance running veth_pool(). For NAPI this is correctly handled as the napi_schedule_prep() check will prevent multiple instances from getting scheduled, but for the remaining code in veth_pool() this can run concurrent with the newly started NAPI instance.

The problem/race is that xdp_clear_return_frame_no_direct() isn't designed to be nested.

Prior to commit 401cb7dae813 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") the temporary BPF net context bpf_redirect_info was stored per CPU, where this wasn't an issue. Since this commit the BPF context is stored in 'current' task_struct. When running veth in threaded-NAPI mode, then the kthread becomes the storage area. Now a race exists between two concurrent veth_pool() function calls one exiting NAPI and one running new NAPI, both using the same BPF net context.

Race is when another CPU gets within the xdp_set_return_frame_no_direct() section before exiting veth_pool() calls the clear-function xdp_clear_return_frame_no_direct().

Affected Software

VendorProductVersion RangeStatus
LinuxLinux401cb7dae8130fd34eb84648e02ab4c506df7d5e < c1ceabcb347d1b0f7e70a7384ec7eff3847b7628affected
LinuxLinux401cb7dae8130fd34eb84648e02ab4c506df7d5e < d0bd018ad72a8a598ae709588934135017f8af52affected
LinuxLinux401cb7dae8130fd34eb84648e02ab4c506df7d5e < a14602fcae17a3f1cb8a8521bedf31728f9e7e39affected
LinuxLinux6.11affected
LinuxLinux0 < 6.11unaffected
LinuxLinux6.12.61 <= 6.12.*unaffected
LinuxLinux6.17.11 <= 6.17.*unaffected
LinuxLinux6.18 <= *unaffected

Weaknesses

References