CVE-2025-38129

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38129
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38129.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38129
Downstream
Related
Published
2025-07-03T08:35:33.728Z
Modified
2026-03-20T12:42:41.402372Z
Summary
page_pool: Fix use-after-free in page_pool_recycle_in_ring
Details

In the Linux kernel, the following vulnerability has been resolved:

pagepool: Fix use-after-free in pagepoolrecyclein_ring

syzbot reported a uaf in pagepoolrecycleinring:

BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943

CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 lockrelease+0x151/0xa30 kernel/locking/lockdep.c:5862 __rawspinunlockbh include/linux/spinlockapismp.h:165 [inline] rawspinunlockbh+0x1b/0x40 kernel/locking/spinlock.c:210 spinunlockbh include/linux/spinlock.h:396 [inline] ptrringproducebh include/linux/ptrring.h:164 [inline] pagepoolrecycleinring net/core/pagepool.c:707 [inline] pagepoolputunrefednetmem+0x748/0xb00 net/core/pagepool.c:826 pagepoolputnetmem include/net/pagepool/helpers.h:323 [inline] pagepoolputfullnetmem include/net/pagepool/helpers.h:353 [inline] napippputpage+0x149/0x2b0 net/core/skbuff.c:1036 skbpprecycle net/core/skbuff.c:1047 [inline] skbfreehead net/core/skbuff.c:1094 [inline] skbreleasedata+0x6c4/0x8a0 net/core/skbuff.c:1125 skbrelease_all net/core/skbuff.c:1190 [inline] __kfreeskb net/core/skbuff.c:1204 [inline] skskbreasondrop+0x1c9/0x380 net/core/skbuff.c:1242 kfreeskbreason include/linux/skbuff.h:1263 [inline] _skbqueuepurgereason include/linux/skbuff.h:3343 [inline]

root cause is:

pagepoolrecycleinring ptrringproduce spinlock(&r->producerlock); WRITEONCE(r->queue[r->producer++], ptr) //recycle last page to pool pagepoolrelease pagepoolscrub pagepoolemptyring ptrringconsume pagepoolreturn_page //release all page __pagepooldestroy freepercpu(pool->recyclestats); free(pool) //free

 spin_unlock(&r->producer_lock); //pool->ring uaf read

recyclestatinc(pool, ring);

pagepool can be free while page pool recycle the last page in ring. Add producer-lock barrier to pagepool_release to prevent the page pool from being free before all pages have been recycled.

recyclestatinc() is empty when CONFIGPAGEPOOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38129.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
ff7d6b27f894f1469dc51ccb828b7363ccd9799f
Fixed
d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8
Fixed
1a8c0b61d4cb55c5440583ec9e7f86a730369e32
Fixed
4914c0a166540e534a0c1d43affd329d95fb56fd
Fixed
e869a85acc2e60dc554579b910826a4919d8cd98
Fixed
4ab8c0f8905c9c4d05e7f437e65a9a365573ff02
Fixed
271683bb2cf32e5126c592b5d5e6a756fa374fd9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38129.json"