CVE-2025-38129
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38129
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38129.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38129
- Downstream
- Related
- Published
- 2025-07-03T08:35:33Z
- Modified
- 2025-10-10T12:09:25.062683Z
- Summary
- page_pool: Fix use-after-free in page_pool_recycle_in_ring
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
pagepool: Fix use-after-free in pagepoolrecyclein_ring
syzbot reported a uaf in pagepoolrecycleinring:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943
CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 lockrelease+0x151/0xa30 kernel/locking/lockdep.c:5862 _rawspinunlockbh include/linux/spinlockapismp.h:165 [inline] _rawspinunlockbh+0x1b/0x40 kernel/locking/spinlock.c:210 spinunlockbh include/linux/spinlock.h:396 [inline] ptrringproducebh include/linux/ptrring.h:164 [inline] pagepoolrecycleinring net/core/pagepool.c:707 [inline] pagepoolputunrefednetmem+0x748/0xb00 net/core/pagepool.c:826 pagepoolputnetmem include/net/pagepool/helpers.h:323 [inline] pagepoolputfullnetmem include/net/pagepool/helpers.h:353 [inline] napippputpage+0x149/0x2b0 net/core/skbuff.c:1036 skbpprecycle net/core/skbuff.c:1047 [inline] skbfreehead net/core/skbuff.c:1094 [inline] skbreleasedata+0x6c4/0x8a0 net/core/skbuff.c:1125 skbreleaseall net/core/skbuff.c:1190 [inline] _kfreeskb net/core/skbuff.c:1204 [inline] skskbreasondrop+0x1c9/0x380 net/core/skbuff.c:1242 kfreeskbreason include/linux/skbuff.h:1263 [inline] _skbqueuepurge_reason include/linux/skbuff.h:3343 [inline]
root cause is:
pagepoolrecycleinring ptrringproduce spinlock(&r->producerlock); WRITEONCE(r->queue[r->producer++], ptr) //recycle last page to pool pagepoolrelease pagepoolscrub pagepoolemptyring ptrringconsume pagepoolreturnpage //release all page _pagepooldestroy freepercpu(pool->recyclestats); free(pool) //free
spin_unlock(&r->producer_lock); //pool->ring uaf readrecyclestatinc(pool, ring);
pagepool can be free while page pool recycle the last page in ring. Add producer-lock barrier to pagepool_release to prevent the page pool from being free before all pages have been recycled.
recyclestatinc() is empty when CONFIGPAGEPOOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedff7d6b27f894f1469dc51ccb828b7363ccd9799fFixede869a85acc2e60dc554579b910826a4919d8cd98
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedff7d6b27f894f1469dc51ccb828b7363ccd9799fFixed4ab8c0f8905c9c4d05e7f437e65a9a365573ff02
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedff7d6b27f894f1469dc51ccb828b7363ccd9799fFixed271683bb2cf32e5126c592b5d5e6a756fa374fd9