CVE-2025-38129 Information
Description
In the Linux kernel the following vulnerability has been resolved:
page_pool: Fix use-after-free in page_pool_recycle_in_ring
syzbot reported a uaf in page_pool_recycle_in_ring:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943
CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 0
Hardware name: Google Google Compute Engine/Google Compute Engine BIOS Google 09/13/2024
Call Trace:
root cause is:
page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++] ptr) //recycle last page to pool page_pool_release page_pool_scrub page_pool_empty_ring ptr_ring_consume page_pool_return_page //release all page __page_pool_destroy free_percpu(pool->recycle_stats); free(pool) //free
spin_unlock(&r->producer_lock); //pool->ring uaf read
recycle_stat_inc(pool ring);
page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled.
recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning.
Reference
https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9 https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02 https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98
Related CNNVD
CNNVD-202507-215 (Published: 2025-07-03)
Share on: