CVE-2025-21865

In the Linux kernel, the following vulnerability has been resolved:

gtp: Suppress list corruption splat in gtpnetexitbatchrtnl().

Brad Spengler reported the listdel() corruption splat in gtpnetexitbatch_rtnl(). [0]

Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the foreachnetdev() loop in gtpnetexitbatchrtnl() to destroy devices in each netns as done in geneve and ip tunnels.

However, this could trigger ->dellink() twice for the same device during ->exitbatchrtnl().

Say we have two netns A & B and gtp device B that resides in netns B but whose UDP socket is in netns A.

1. cleanup_net() processes netns A and then B.

2. gtpnetexitbatchrtnl() finds the device B while iterating netns A's gn->gtpdevlist and calls ->dellink().

   [ device B is not yet unlinked from netns B as unregisternetdevicemany() has not been called. ]

3. gtpnetexitbatchrtnl() finds the device B while iterating netns B's foreachnetdev() and calls ->dellink().

gtpdellink() cleans up the device's hash table, unlinks the dev from gn->gtpdevlist, and calls unregisternetdevice_queue().

Basically, calling gtpdellink() multiple times is fine unless CONFIGDEBUG_LIST is enabled.

Let's remove foreachnetdev() in gtpnetexitbatchrtnl() and delegate the destruction to defaultdeviceexit_batch() as done in bareudp.

kernel BUG at lib/listdebug.c:58! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G T 6.12.13-grsec-full-20250211091339 #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: netns cleanupnet RIP: 0010:[<ffffffff84947381>] _listdelentryvalidorreport+0x141/0x200 lib/listdebug.c:58 Code: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc <0f> 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60 RSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283 RAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054 RDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000 RBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32 R10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4 R13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08 RBX: kasan shadow of 0x0 RCX: _wakeupklogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554 RDX: _listdelentryvalidorreport+0x141/0x200 lib/listdebug.c:58 RSI: vprintk+0x72/0x100 kernel/printk/printksafe.c:71 RBP: autoslabsizeMdevPnetcoredev11127813288S4096A64n139+0xc00/0x1000 [slab object] RSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ] R09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ] R10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ] R15: autoslabsizeMdevPnetcoredev11127813288S4096A64n139+0xc08/0x1000 [slab object] FS: 0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0 Stack: 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00 ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d Call Trace: <TASK> [<ffffffff8a0c360d>] _listdelentryvalid include/linux/list.h:131 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] _listdelentry include/linux/list.h:248 [inline] fffffe8040b4fc28 [<ffffffff8a0c360d>] listdel include/linux/list.h:262 [inl ---truncated---