Linux Kernel IPsec Tunnel Mode Lock Order Vulnerability

A vulnerability in the Linux kernel's IPsec implementation for tunnel mode has been identified, leading to a kernel panic. This issue arises from an incorrect lock order that creates a potential deadlock scenario. When IPsec packet offload is enabled in tunnel mode, the 'SA add' section improperly marks the SA mode, and the 'SA delete' routine unnecessarily flushes the workqueue, causing synchronization problems. The vulnerability is present in Linux kernel versions 6.12.0 and later.

Impact

The vulnerability can cause a kernel panic due to a deadlock, where two locks are held in a conflicting order, disrupting normal processing and potentially leading to a system crash.

Reproduction

To reproduce this vulnerability, enable IPsec packet offload in tunnel mode on a Linux system with kernel version 6.12.0 or later. This will trigger a kernel panic due to the improper handling of SA modes and the unnecessary flushing of the workqueue, creating a deadlock by causing a SOFTIRQ-safe lock to be acquired in a SOFTIRQ-unsafe manner.