CVE-2025-22085

In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Fix use-after-free when rename device name

Syzbot reported a slab-use-after-free with the following call trace:

================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025

CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:408 [inline] printreport+0x16e/0x5b0 mm/kasan/report.c:521 kasanreport+0x143/0x180 mm/kasan/report.c:634 kasancheckrange+0x282/0x290 mm/kasan/generic.c:189 _asanmemcpy+0x29/0x70 mm/kasan/shadow.c:105 nlaput+0xd3/0x150 lib/nlattr.c:1099 nlaputstring include/net/netlink.h:1621 [inline] fillnldevhandle+0x16e/0x200 drivers/infiniband/core/nldev.c:265 rdmanlnotifyevent+0x561/0xef0 drivers/infiniband/core/nldev.c:2857 ibdevicenotifyregister+0x22/0x230 drivers/infiniband/core/device.c:1344 ibregisterdevice+0x1292/0x1460 drivers/infiniband/core/device.c:1460 rxeregisterdevice+0x233/0x350 drivers/infiniband/sw/rxe/rxeverbs.c:1540 rxenetadd+0x74/0xf0 drivers/infiniband/sw/rxe/rxenet.c:550 rxenewlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldevnewlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdmanlrcvskb drivers/infiniband/core/netlink.c:239 [inline] rdmanlrcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlinkunicastkernel net/netlink/afnetlink.c:1313 [inline] netlinkunicast+0x7f6/0x990 net/netlink/afnetlink.c:1339 netlinksendmsg+0x8de/0xcb0 net/netlink/afnetlink.c:1883 socksendmsgnosec net/socket.c:709 [inline] _socksendmsg+0x221/0x270 net/socket.c:724 syssendmsg+0x53a/0x860 net/socket.c:2564 _syssendmsg net/socket.c:2618 [inline] _syssendmsg+0x269/0x350 net/socket.c:2650 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f42d1b8d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ... RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169 RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8 </TASK>

Allocated by task 10025: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x98/0xb0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4294 [inline] _kmallocnodetrackcallernoprof+0x28b/0x4c0 mm/slub.c:4313 _kmemdupnul mm/util.c:61 [inline] kstrdup+0x42/0x100 mm/util.c:81 kobjectsetnamevargs+0x61/0x120 lib/kobject.c:274 devsetname+0xd5/0x120 drivers/base/core.c:3468 assignname drivers/infiniband/core/device.c:1202 [inline] ibregisterdevice+0x178/0x1460 drivers/infiniband/core/device.c:1384 rxeregisterdevice+0x233/0x350 drivers/infiniband/sw/rxe/rxeverbs.c:1540 rxenetadd+0x74/0xf0 drivers/infiniband/sw/rxe/rxenet.c:550 rxenewlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldevnewlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdmanlrcvskb drivers/infiniband/core/netlink.c:239 [inline] rdmanlrcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlinkunicastkernel net/netlink/afnetlink.c:1313 [inline] netlinkunicast+0x7f6/0x990 net/netlink/afnetlink.c:1339 netlinksendmsg+0x8de/0xcb0 net ---truncated---