CVE-2025-21858

In the Linux kernel, the following vulnerability has been resolved:

geneve: Fix use-after-free in genevefinddev().

syzkaller reported a use-after-free in genevefinddev() [0] without repro.

geneveconfigure() links struct genevedev.next to netgeneric(net, genevenetid)->genevelist.

The net here could differ from devnet(dev) if IFLANETNSPID, IFLANETNSFD, or IFLATARGET_NETNSID is set.

When devnet(dev) is dismantled, geneveexitbatchrtnl() finally calls unregisternetdevicequeue() for each dev in the netns, and later the dev is freed.

However, its geneve_dev.next is still linked to the backend UDP socket netns.

Then, use-after-free will occur when another geneve dev is created in the netns.

Let's call genevedellink() instead in genevedestroy_tunnels().

BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441

CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: show_stack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0xbc/0x108 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x16c/0x6f0 mm/kasan/report.c:489 kasan_report+0xc0/0x120 mm/kasan/report.c:602 __asanreportload2noabort+0x20/0x30 mm/kasan/reportgeneric.c:379 genevefinddev drivers/net/geneve.c:1295 [inline] geneveconfigure+0x234/0x858 drivers/net/geneve.c:1343 genevenewlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnlnewlinkcreate+0x23c/0x868 net/core/rtnetlink.c:3795 __rtnlnewlink net/core/rtnetlink.c:3906 [inline] rtnlnewlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlink_rcvmsg+0x61c/0x918 net/core/rtnetlink.c:6911 netlinkrcvskb+0x1dc/0x398 net/netlink/afnetlink.c:2543 rtnetlinkrcv+0x34/0x50 net/core/rtnetlink.c:6938 netlinkunicastkernel net/netlink/afnetlink.c:1322 [inline] netlinkunicast+0x618/0x838 net/netlink/afnetlink.c:1348 netlinksendmsg+0x5fc/0x8b0 net/netlink/afnetlink.c:1892 socksendmsgnosec net/socket.c:713 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x410/0x6f8 net/socket.c:2568 ___sys_sendmsg+0x178/0x1d8 net/socket.c:2622 __sys_sendmsg net/socket.c:2654 [inline] __dosyssendmsg net/socket.c:2659 [inline] __sesyssendmsg net/socket.c:2657 [inline] __arm64syssendmsg+0x12c/0x1c8 net/socket.c:2657 __invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0svccommon+0x13c/0x250 arch/arm64/kernel/syscall.c:132 doel0svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t64synchandler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t64sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600

Allocated by task 13247: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x30/0x68 mm/kasan/common.c:68 kasansaveallocinfo+0x44/0x58 mm/kasan/generic.c:568 poisonkmalloc_redzone mm/kasan/common.c:377 [inline] __kasankmalloc+0x84/0xa0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] __dokmallocnode mm/slub.c:4298 [inline] __kmallocnodenoprof+0x2a0/0x560 mm/slub.c:4304 __kvmallocnodenoprof+0x9c/0x230 mm/util.c:645 allocnetdevmqs+0xb8/0x11a0 net/core/dev.c:11470 rtnlcreatelink+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnlnewlinkcreate+0x19c/0x868 net/core/rtnetlink.c:3780 _rtnlnewlink net/core/rtnetlink.c:3906 [inline] rtnlnewlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlinkrcvmsg+0x61c/0x918 net/core/rtnetlink.c:6911 netlinkrcvskb+0x1dc/0x398 net/netlink/afnetlink.c:2543 rtnetlinkrcv+0x34/0x50 net/core/rtnetlink.c:6938 netlinkunicastkernel net/netlink/afn ---truncated---