CVE-2025-38129
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38129
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38129.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38129
- Downstream
- Related
- Published
- 2025-07-03T08:35:33Z
- Modified
- 2025-10-18T02:36:36.759902Z
- Summary
- page_pool: Fix use-after-free in page_pool_recycle_in_ring
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
pagepool: Fix use-after-free in pagepoolrecyclein_ring
syzbot reported a uaf in pagepoolrecycleinring:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943
CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 lockrelease+0x151/0xa30 kernel/locking/lockdep.c:5862 _rawspinunlockbh include/linux/spinlockapismp.h:165 [inline] _rawspinunlockbh+0x1b/0x40 kernel/locking/spinlock.c:210 spinunlockbh include/linux/spinlock.h:396 [inline] ptrringproducebh include/linux/ptrring.h:164 [inline] pagepoolrecycleinring net/core/pagepool.c:707 [inline] pagepoolputunrefednetmem+0x748/0xb00 net/core/pagepool.c:826 pagepoolputnetmem include/net/pagepool/helpers.h:323 [inline] pagepoolputfullnetmem include/net/pagepool/helpers.h:353 [inline] napippputpage+0x149/0x2b0 net/core/skbuff.c:1036 skbpprecycle net/core/skbuff.c:1047 [inline] skbfreehead net/core/skbuff.c:1094 [inline] skbreleasedata+0x6c4/0x8a0 net/core/skbuff.c:1125 skbreleaseall net/core/skbuff.c:1190 [inline] _kfreeskb net/core/skbuff.c:1204 [inline] skskbreasondrop+0x1c9/0x380 net/core/skbuff.c:1242 kfreeskbreason include/linux/skbuff.h:1263 [inline] _skbqueuepurge_reason include/linux/skbuff.h:3343 [inline]
root cause is:
pagepoolrecycleinring ptrringproduce spinlock(&r->producerlock); WRITEONCE(r->queue[r->producer++], ptr) //recycle last page to pool pagepoolrelease pagepoolscrub pagepoolemptyring ptrringconsume pagepoolreturnpage //release all page _pagepooldestroy freepercpu(pool->recyclestats); free(pool) //free
spin_unlock(&r->producer_lock); //pool->ring uaf readrecyclestatinc(pool, ring);
pagepool can be free while page pool recycle the last page in ring. Add producer-lock barrier to pagepool_release to prevent the page pool from being free before all pages have been recycled.
recyclestatinc() is empty when CONFIGPAGEPOOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedff7d6b27f894f1469dc51ccb828b7363ccd9799fFixede869a85acc2e60dc554579b910826a4919d8cd98
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedff7d6b27f894f1469dc51ccb828b7363ccd9799fFixed4ab8c0f8905c9c4d05e7f437e65a9a365573ff02
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedff7d6b27f894f1469dc51ccb828b7363ccd9799fFixed271683bb2cf32e5126c592b5d5e6a756fa374fd9
Affected versions
v4.*
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4ab8c0f8905c9c4d05e7f437e65a9a365573ff02",
"signature_version": "v1",
"id": "CVE-2025-38129-2a219693",
"digest": {
"function_hash": "232915541484641805731685839964837519780",
"length": 282.0
},
"target": {
"function": "page_pool_recycle_in_ring",
"file": "net/core/page_pool.c"
}
},
{
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e869a85acc2e60dc554579b910826a4919d8cd98",
"signature_version": "v1",
"id": "CVE-2025-38129-2aec9930",
"digest": {
"function_hash": "305558032817484683490253597255352996899",
"length": 157.0
},
"target": {
"function": "page_pool_release",
"file": "net/core/page_pool.c"
}
},
{
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4ab8c0f8905c9c4d05e7f437e65a9a365573ff02",
"signature_version": "v1",
"id": "CVE-2025-38129-2b42177c",
"digest": {
"function_hash": "305558032817484683490253597255352996899",
"length": 157.0
},
"target": {
"function": "page_pool_release",
"file": "net/core/page_pool.c"
}
},
{
"signature_type": "Line",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@271683bb2cf32e5126c592b5d5e6a756fa374fd9",
"signature_version": "v1",
"id": "CVE-2025-38129-2bc8cd32",
"digest": {
"threshold": 0.9,
"line_hashes": [
"120816698837380104442744378199995233710",
"300621706553098124420571022830555093139",
"147661803068086501796776517194580039587",
"199643041380826521901059365806447793694",
"89974365295171727909229560989228468397",
"42588145702406156829552091413472511980",
"326597945397023591486371932425514144433",
"198391578000394093077690689436587592041",
"150966067749246518367151219783583311538",
"43436193033333595680682711075886565725",
"285748149828937268649452633248417320854",
"154792983126280337544865700056085200137",
"239924586736892358353586238784605126427",
"119258988697698457769296765622298402469",
"9068731598265613676833381565505762834",
"287941679106325077149940829707434248515",
"62703356996218816252810872643398763836",
"39967247651045528693874320395360908491",
"86625173856001561342563882811535052621",
"246431448699440017925207442226430134136",
"282518405046513108922055179039797111676",
"136891337158411453639130422483154172491",
"95284681407539634392477505263113249685"
]
},
"target": {
"file": "net/core/page_pool.c"
}
},
{
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e869a85acc2e60dc554579b910826a4919d8cd98",
"signature_version": "v1",
"id": "CVE-2025-38129-7134af2a",
"digest": {
"function_hash": "232915541484641805731685839964837519780",
"length": 282.0
},
"target": {
"function": "page_pool_recycle_in_ring",
"file": "net/core/page_pool.c"
}
},
{
"signature_type": "Line",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4ab8c0f8905c9c4d05e7f437e65a9a365573ff02",
"signature_version": "v1",
"id": "CVE-2025-38129-76eb2fd7",
"digest": {
"threshold": 0.9,
"line_hashes": [
"120816698837380104442744378199995233710",
"300621706553098124420571022830555093139",
"147661803068086501796776517194580039587",
"199643041380826521901059365806447793694",
"89974365295171727909229560989228468397",
"42588145702406156829552091413472511980",
"326597945397023591486371932425514144433",
"198391578000394093077690689436587592041",
"150966067749246518367151219783583311538",
"43436193033333595680682711075886565725",
"285748149828937268649452633248417320854",
"154792983126280337544865700056085200137",
"239924586736892358353586238784605126427",
"119258988697698457769296765622298402469",
"9068731598265613676833381565505762834",
"287941679106325077149940829707434248515",
"62703356996218816252810872643398763836",
"39967247651045528693874320395360908491",
"86625173856001561342563882811535052621",
"246431448699440017925207442226430134136",
"282518405046513108922055179039797111676",
"136891337158411453639130422483154172491",
"95284681407539634392477505263113249685"
]
},
"target": {
"file": "net/core/page_pool.c"
}
},
{
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@271683bb2cf32e5126c592b5d5e6a756fa374fd9",
"signature_version": "v1",
"id": "CVE-2025-38129-acfb2fd9",
"digest": {
"function_hash": "232915541484641805731685839964837519780",
"length": 282.0
},
"target": {
"function": "page_pool_recycle_in_ring",
"file": "net/core/page_pool.c"
}
},
{
"signature_type": "Function",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@271683bb2cf32e5126c592b5d5e6a756fa374fd9",
"signature_version": "v1",
"id": "CVE-2025-38129-cc2bf425",
"digest": {
"function_hash": "305558032817484683490253597255352996899",
"length": 157.0
},
"target": {
"function": "page_pool_release",
"file": "net/core/page_pool.c"
}
},
{
"signature_type": "Line",
"deprecated": false,
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e869a85acc2e60dc554579b910826a4919d8cd98",
"signature_version": "v1",
"id": "CVE-2025-38129-e1484545",
"digest": {
"threshold": 0.9,
"line_hashes": [
"120816698837380104442744378199995233710",
"300621706553098124420571022830555093139",
"147661803068086501796776517194580039587",
"199643041380826521901059365806447793694",
"89974365295171727909229560989228468397",
"42588145702406156829552091413472511980",
"326597945397023591486371932425514144433",
"198391578000394093077690689436587592041",
"150966067749246518367151219783583311538",
"43436193033333595680682711075886565725",
"285748149828937268649452633248417320854",
"154792983126280337544865700056085200137",
"239924586736892358353586238784605126427",
"119258988697698457769296765622298402469",
"9068731598265613676833381565505762834",
"287941679106325077149940829707434248515",
"62703356996218816252810872643398763836",
"39967247651045528693874320395360908491",
"86625173856001561342563882811535052621",
"246431448699440017925207442226430134136",
"282518405046513108922055179039797111676",
"136891337158411453639130422483154172491",
"95284681407539634392477505263113249685"
]
},
"target": {
"file": "net/core/page_pool.c"
}
}
]