CVE-2025-38129

BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943

CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 lockrelease+0x151/0xa30 kernel/locking/lockdep.c:5862 __rawspinunlockbh include/linux/spinlockapismp.h:165 [inline] rawspinunlockbh+0x1b/0x40 kernel/locking/spinlock.c:210 spinunlockbh include/linux/spinlock.h:396 [inline] ptrringproducebh include/linux/ptrring.h:164 [inline] pagepoolrecycleinring net/core/pagepool.c:707 [inline] pagepoolputunrefednetmem+0x748/0xb00 net/core/pagepool.c:826 pagepoolputnetmem include/net/pagepool/helpers.h:323 [inline] pagepoolputfullnetmem include/net/pagepool/helpers.h:353 [inline] napippputpage+0x149/0x2b0 net/core/skbuff.c:1036 skbpprecycle net/core/skbuff.c:1047 [inline] skbfreehead net/core/skbuff.c:1094 [inline] skbreleasedata+0x6c4/0x8a0 net/core/skbuff.c:1125 skbrelease_all net/core/skbuff.c:1190 [inline] __kfreeskb net/core/skbuff.c:1204 [inline] skskbreasondrop+0x1c9/0x380 net/core/skbuff.c:1242 kfreeskbreason include/linux/skbuff.h:1263 [inline] _skbqueuepurgereason include/linux/skbuff.h:3343 [inline]

root cause is:

pagepoolrecycleinring ptrringproduce spinlock(&r->producerlock); WRITEONCE(r->queue[r->producer++], ptr) //recycle last page to pool pagepoolrelease pagepoolscrub pagepoolemptyring ptrringconsume pagepoolreturn_page //release all page __pagepooldestroy freepercpu(pool->recyclestats); free(pool) //free

 spin_unlock(&r->producer_lock); //pool->ring uaf read

recyclestatinc(pool, ring);

pagepool can be free while page pool recycle the last page in ring. Add producer-lock barrier to pagepool_release to prevent the page pool from being free before all pages have been recycled.

recyclestatinc() is empty when CONFIGPAGEPOOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38129.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ff7d6b27f894f1469dc51ccb828b7363ccd9799f

Fixed

c2c906142293931e33ef4be79ebc36c25c4e21dd

Fixed

d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8

Fixed

1a8c0b61d4cb55c5440583ec9e7f86a730369e32

Fixed

4914c0a166540e534a0c1d43affd329d95fb56fd

Fixed

e869a85acc2e60dc554579b910826a4919d8cd98

Fixed

4ab8c0f8905c9c4d05e7f437e65a9a365573ff02

Fixed

271683bb2cf32e5126c592b5d5e6a756fa374fd9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38129.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.18.0

Fixed

5.10.259

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.198

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.160

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.120

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.34

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38129.json"