CVE-2025-38129 in Linuxinformação

Sumário

de VulDB • 29/05/2026

No kernel do Linux, a seguinte vulnerabilidade foi resolvida:

page_pool: Corrige use-after-free em page_pool_recycle_in_ring

O syzbot relatou um use-after-free (uaf) em page_pool_recycle_in_ring:

BUG: KASAN: slab-use-after-free em lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Leitura de tamanho 8 no endereço ffff8880286045a0 pela tarefa syz.0.284/6943

CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Não contaminado 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Nome do hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Rastreamento de chamada: <TASK> __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]
_raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline]
ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]
page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]
page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]
page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]
napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline]
skb_free_head net/core/skbuff.c:1094 [inline]
skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline]
__skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]

A causa raiz é:

page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr)
// recicla a última página para o pool page_pool_release page_pool_scrub page_pool_empty_ring ptr_ring_consume page_pool_return_page // libera todas as páginas __page_pool_destroy free_percpu(pool->recycle_stats); free(pool) // libera

spin_unlock(&r->producer_lock); // pool->ring uaf read recycle_stat_inc(pool, ring);

page_pool pode ser liberado enquanto o page pool está reciclando a última página no ring. Adicionar barreira de producer-lock em page_pool_release para impedir que o page pool seja liberado antes que todas as páginas tenham sido recicladas.

recycle_stat_inc() é vazio quando CONFIG_PAGE_POOL_STATS não está habilitado, o que aciona o aviso de build Wempty-body. Adicionar definição para a macro de estatísticas do pool para corrigir o aviso.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Responsável

Linux

Reservar

16/04/2025

Divulgação

03/07/2025

Moderação

aceite

Entrada

VDB-314674

CPE

pronto

EPSS

0.00161

KEV

não

Atividades

muito baixo

Fontes

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!