CVE-2025-21652

In the Linux kernel, the following vulnerability has been resolved:

ipvlan: Fix use-after-free in ipvlangetiflink().

syzbot presented an use-after-free report [0] regarding ipvlan and linkwatch.

ipvlan does not hold a refcnt of the lower device unlike vlan and macvlan.

If the linkwatch work is triggered for the ipvlan dev, the lower dev might have already been freed, resulting in UAF of ipvlan->phydev in ipvlanget_iflink().

We can delay the lower dev unregistration like vlan and macvlan by holding the lower dev's refcnt in dev->netdevops->ndoinit() and releasing it in dev->priv_destructor().

Jakub pointed out calling .ndoXXX after unregisternetdevice() has returned is error prone and suggested [1] addressing this UAF in the core by taking commit 750e51603395 ("net: avoid potential UAF in default_operstate()") further.

Let's assume unregistering devices DOWN and use RCU protection in default_operstate() not to race with the device unregistration.

Read of size 4 at addr ffff0000d768c0e0 by task kworker/u8:35/6944

CPU: 0 UID: 0 PID: 6944 Comm: kworker/u8:35 Not tainted 6.13.0-rc2-g9bc5c9515b48 #12 4c3cb9e8b4565456f6a355f312ff91f4f29b3c47 Hardware name: linux,dummy-virt (DT) Workqueue: eventsunbound linkwatchevent Call trace: showstack+0x38/0x50 arch/arm64/kernel/stacktrace.c:484 (C) _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0xbc/0x108 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x16c/0x6f0 mm/kasan/report.c:489 kasanreport+0xc0/0x120 mm/kasan/report.c:602 _asanreportload4noabort+0x20/0x30 mm/kasan/reportgeneric.c:380 ipvlangetiflink+0x84/0x88 drivers/net/ipvlan/ipvlanmain.c:353 devgetiflink+0x7c/0xd8 net/core/dev.c:674 defaultoperstate net/core/linkwatch.c:45 [inline] rfc2863policy+0x144/0x360 net/core/linkwatch.c:72 linkwatchdodev+0x60/0x228 net/core/linkwatch.c:175 _linkwatchrunqueue+0x2f4/0x5b8 net/core/linkwatch.c:239 linkwatchevent+0x64/0xa8 net/core/linkwatch.c:282 processonework+0x700/0x1398 kernel/workqueue.c:3229 processscheduledworks kernel/workqueue.c:3310 [inline] workerthread+0x8c4/0xe10 kernel/workqueue.c:3391 kthread+0x2b0/0x360 kernel/kthread.c:389 retfrom_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

Allocated by task 9303: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x30/0x68 mm/kasan/common.c:68 kasansaveallocinfo+0x44/0x58 mm/kasan/generic.c:568 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x84/0xa0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4283 [inline] _kmallocnodenoprof+0x2a0/0x560 mm/slub.c:4289 _kvmallocnodenoprof+0x9c/0x230 mm/util.c:650 allocnetdevmqs+0xb4/0x1118 net/core/dev.c:11209 rtnlcreatelink+0x2b8/0xb60 net/core/rtnetlink.c:3595 rtnlnewlinkcreate+0x19c/0x868 net/core/rtnetlink.c:3771 _rtnlnewlink net/core/rtnetlink.c:3896 [inline] rtnlnewlink+0x122c/0x15c0 net/core/rtnetlink.c:4011 rtnetlinkrcvmsg+0x61c/0x918 net/core/rtnetlink.c:6901 netlinkrcvskb+0x1dc/0x398 net/netlink/afnetlink.c:2542 rtnetlinkrcv+0x34/0x50 net/core/rtnetlink.c:6928 netlinkunicastkernel net/netlink/afnetlink.c:1321 [inline] netlinkunicast+0x618/0x838 net/netlink/afnetlink.c:1347 netlinksendmsg+0x5fc/0x8b0 net/netlink/afnetlink.c:1891 socksendmsgnosec net/socket.c:711 [inline] _socksendmsg net/socket.c:726 [inline] _syssendto+0x2ec/0x438 net/socket.c:2197 _dosyssendto net/socket.c:2204 [inline] _sesyssendto net/socket.c:2200 [inline] _arm64syssendto+0xe4/0x110 net/socket.c:2200 _invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0svccommon+0x13c/0x250 arch/arm64/kernel/syscall.c:132 doel0_svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el ---truncated---