CVE-2025-68801

In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_router: Fix neighbour use-after-free

We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop.

Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid taking a referencing when the neighbour is used by a nexthop as the neighbour entry associated with the nexthop already holds a reference.

Tested by running the test that uncovered the problem over 300 times. Without this patch the problem was reproduced after a handful of iterations.

[1] BUG: KASAN: slab-use-after-free in mlxswspneighentryupdate+0x2d4/0x310 Read of size 8 at addr ffff88817f8e3420 by task ip/3929

CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full) Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 Call Trace: <TASK> dumpstacklvl+0x6f/0xa0 printaddressdescription.constprop.0+0x6e/0x300 printreport+0xfc/0x1fb kasanreport+0xe4/0x110 mlxswspneighentryupdate+0x2d4/0x310 mlxswsprouterrifgonesync+0x35f/0x510 mlxswsprifdestroy+0x1ea/0x730 mlxswspinetaddrportvlan_event+0xa1/0x1b0 __mlxswspinetaddrlagevent+0xcc/0x130 __mlxswspinetaddrevent+0xf5/0x3c0 mlxswsprouternetdeviceevent+0x1015/0x1580 notifiercallchain+0xcc/0x150 callnetdevicenotifiersinfo+0x7e/0x100 __netdevupperdevunlink+0x10b/0x210 netdevupperdevunlink+0x79/0xa0 vrfdelslave+0x18/0x50 dosetmaster+0x146/0x7d0 dosetlink.isra.0+0x9a0/0x2880 rtnlnewlink+0x637/0xb20 rtnetlinkrcvmsg+0x6fe/0xb90 netlinkrcvskb+0x123/0x380 netlinkunicast+0x4a3/0x770 netlinksendmsg+0x75b/0xc90 __sock_sendmsg+0xbe/0x160 ____sys_sendmsg+0x5b2/0x7d0 ___sys_sendmsg+0xfd/0x180 _syssendmsg+0x124/0x1c0 dosyscall64+0xbb/0xfd0 entrySYSCALL64afterhwframe+0x4b/0x53 [...]

Allocated by task 109: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 __kasan_kmalloc+0x7b/0x90 __kmallocnoprof+0x2c1/0x790 neighalloc+0x6af/0x8f0 __neighcreate+0x63/0xe90 mlxswspnexthopneighinit+0x430/0x7e0 mlxswspnexthoptypeinit+0x212/0x960 mlxswspnexthop6groupinfoinit.constprop.0+0x81f/0x1280 mlxswspnexthop6groupget+0x392/0x6a0 mlxswspfib6entrycreate+0x46a/0xfd0 mlxswsprouterfib6replace+0x1ed/0x5f0 mlxswsprouterfib6eventwork+0x10a/0x2a0 processonework+0xd57/0x1390 workerthread+0x4d6/0xd40 kthread+0x355/0x5b0 retfromfork+0x1d4/0x270 retfromforkasm+0x11/0x20

Freed by task 154: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 __kasansavefree_info+0x3b/0x60 _kasanslabfree+0x43/0x70 kmemcachefreebulk.part.0+0x1eb/0x5e0 kvfreercubulk+0x1f2/0x260 kfreercuwork+0x130/0x1b0 processonework+0xd57/0x1390 workerthread+0x4d6/0xd40 kthread+0x355/0x5b0 retfromfork+0x1d4/0x270 retfromforkasm+0x11/0x20

Last potentially related work creation: kasansavestack+0x30/0x50 kasanrecordauxstack+0x8c/0xa0 kvfreecallrcu+0x93/0x5b0 mlxswsprouterneigheventwork+0x67d/0x860 processonework+0xd57/0x1390 workerthread+0x4d6/0xd40 kthread+0x355/0x5b0 retfromfork+0x1d4/0x270 retfromforkasm+0x11/0x20