{"id":"AZL-56399","summary":"CVE-2025-21674 affecting package kernel for versions less than 6.6.76.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel\n\nAttempt to enable IPsec packet offload in tunnel mode in debug kernel\ngenerates the following kernel panic, which is happening due to two\nissues:\n1. In SA add section, the should be _bh() variant when marking SA mode.\n2. There is not needed flush_workqueue in SA delete routine. It is not\nneeded as at this stage as it is removed from SADB and the running work\nwill be canceled later in SA free.\n\n =====================================================\n WARNING: SOFTIRQ-safe -\u003e SOFTIRQ-unsafe lock order detected\n 6.12.0+ #4 Not tainted\n -----------------------------------------------------\n charon/1337 [HC0[0]:SC0[4]:HE1:SE0] is trying to acquire:\n ffff88810f365020 (&xa-\u003exa_lock#24){+.+.}-{3:3}, at: mlx5e_xfrm_del_state+0xca/0x1e0 [mlx5_core]\n\n and this task is already holding:\n ffff88813e0f0d48 (&x-\u003elock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n which would create a new lock dependency:\n  (&x-\u003elock){+.-.}-{3:3} -\u003e (&xa-\u003exa_lock#24){+.+.}-{3:3}\n\n but this new dependency connects a SOFTIRQ-irq-safe lock:\n  (&x-\u003elock){+.-.}-{3:3}\n\n ... which became SOFTIRQ-irq-safe at:\n   lock_acquire+0x1be/0x520\n   _raw_spin_lock_bh+0x34/0x40\n   xfrm_timer_handler+0x91/0xd70\n   __hrtimer_run_queues+0x1dd/0xa60\n   hrtimer_run_softirq+0x146/0x2e0\n   handle_softirqs+0x266/0x860\n   irq_exit_rcu+0x115/0x1a0\n   sysvec_apic_timer_interrupt+0x6e/0x90\n   asm_sysvec_apic_timer_interrupt+0x16/0x20\n   default_idle+0x13/0x20\n   default_idle_call+0x67/0xa0\n   do_idle+0x2da/0x320\n   cpu_startup_entry+0x50/0x60\n   start_secondary+0x213/0x2a0\n   common_startup_64+0x129/0x138\n\n to a SOFTIRQ-irq-unsafe lock:\n  (&xa-\u003exa_lock#24){+.+.}-{3:3}\n\n ... which became SOFTIRQ-irq-unsafe at:\n ...\n   lock_acquire+0x1be/0x520\n   _raw_spin_lock+0x2c/0x40\n   xa_set_mark+0x70/0x110\n   mlx5e_xfrm_add_state+0xe48/0x2290 [mlx5_core]\n   xfrm_dev_state_add+0x3bb/0xd70\n   xfrm_add_sa+0x2451/0x4a90\n   xfrm_user_rcv_msg+0x493/0x880\n   netlink_rcv_skb+0x12e/0x380\n   xfrm_netlink_rcv+0x6d/0x90\n   netlink_unicast+0x42f/0x740\n   netlink_sendmsg+0x745/0xbe0\n   __sock_sendmsg+0xc5/0x190\n   __sys_sendto+0x1fe/0x2c0\n   __x64_sys_sendto+0xdc/0x1b0\n   do_syscall_64+0x6d/0x140\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n other info that might help us debug this:\n\n  Possible interrupt unsafe locking scenario:\n\n        CPU0                    CPU1\n        ----                    ----\n   lock(&xa-\u003exa_lock#24);\n                                local_irq_disable();\n                                lock(&x-\u003elock);\n                                lock(&xa-\u003exa_lock#24);\n   \u003cInterrupt\u003e\n     lock(&x-\u003elock);\n\n  *** DEADLOCK ***\n\n 2 locks held by charon/1337:\n  #0: ffffffff87f8f858 (&net-\u003exfrm.xfrm_cfg_mutex){+.+.}-{4:4}, at: xfrm_netlink_rcv+0x5e/0x90\n  #1: ffff88813e0f0d48 (&x-\u003elock){+.-.}-{3:3}, at: xfrm_state_delete+0x16/0x30\n\n the dependencies between SOFTIRQ-irq-safe lock and the holding lock:\n -\u003e (&x-\u003elock){+.-.}-{3:3} ops: 29 {\n    HARDIRQ-ON-W at:\n                     lock_acquire+0x1be/0x520\n                     _raw_spin_lock_bh+0x34/0x40\n                     xfrm_alloc_spi+0xc0/0xe60\n                     xfrm_alloc_userspi+0x5f6/0xbc0\n                     xfrm_user_rcv_msg+0x493/0x880\n                     netlink_rcv_skb+0x12e/0x380\n                     xfrm_netlink_rcv+0x6d/0x90\n                     netlink_unicast+0x42f/0x740\n                     netlink_sendmsg+0x745/0xbe0\n                     __sock_sendmsg+0xc5/0x190\n                     __sys_sendto+0x1fe/0x2c0\n                     __x64_sys_sendto+0xdc/0x1b0\n                     do_syscall_64+0x6d/0x140\n                     entry_SYSCALL_64_after_hwframe+0x4b/0x53\n    IN-SOFTIRQ-W at:\n                     lock_acquire+0x1be/0x520\n                     _raw_spin_lock_bh+0x34/0x40\n                     xfrm_timer_handler+0x91/0xd70\n                     __hrtimer_run_queues+0x1dd/0xa60\n   \n---truncated---","modified":"2026-04-01T05:18:53.112540Z","published":"2025-01-31T12:15:28Z","upstream":["CVE-2025-21674"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21674"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.76.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-56399.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}