cve/published/2025/CVE-2025-22085.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22085: RDMA/core: Fix use-after-free when rename device name

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RDMA/core: Fix use-after-free when rename device name

 Syzbot reported a slab-use-after-free with the following call trace:

 ==================================================================
 BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099
 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025

 CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988
 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0
 Hardware name: Google Compute Engine, BIOS Google 02/12/2025
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:94 [inline]
  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
  print_address_description mm/kasan/report.c:408 [inline]
  print_report+0x16e/0x5b0 mm/kasan/report.c:521
  kasan_report+0x143/0x180 mm/kasan/report.c:634
  kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
  __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
  nla_put+0xd3/0x150 lib/nlattr.c:1099
  nla_put_string include/net/netlink.h:1621 [inline]
  fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265
  rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857
  ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344
  ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460
  rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540
  rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550
  rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212
  nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795
  rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
  rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259
  netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339
  netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883
  sock_sendmsg_nosec net/socket.c:709 [inline]
  __sock_sendmsg+0x221/0x270 net/socket.c:724
  ____sys_sendmsg+0x53a/0x860 net/socket.c:2564
  ___sys_sendmsg net/socket.c:2618 [inline]
  __sys_sendmsg+0x269/0x350 net/socket.c:2650
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
 RIP: 0033:0x7f42d1b8d169
 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ...
 RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169
 RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c
 RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000
 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
 R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8
  </TASK>

 Allocated by task 10025:
  kasan_save_stack mm/kasan/common.c:47 [inline]
  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
  poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
  __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
  kasan_kmalloc include/linux/kasan.h:260 [inline]
  __do_kmalloc_node mm/slub.c:4294 [inline]
  __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313
  __kmemdup_nul mm/util.c:61 [inline]
  kstrdup+0x42/0x100 mm/util.c:81
  kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274
  dev_set_name+0xd5/0x120 drivers/base/core.c:3468
  assign_name drivers/infiniband/core/device.c:1202 [inline]
  ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384
  rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540
  rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550
  rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212
  nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795
  rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
  rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259
  netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339
  netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883
  sock_sendmsg_nosec net/socket.c:709 [inline]
  __sock_sendmsg+0x221/0x270 net/socket.c:724
  ____sys_sendmsg+0x53a/0x860 net/socket.c:2564
  ___sys_sendmsg net/socket.c:2618 [inline]
  __sys_sendmsg+0x269/0x350 net/socket.c:2650
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 Freed by task 10035:
  kasan_save_stack mm/kasan/common.c:47 [inline]
  kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
  kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
  poison_slab_object mm/kasan/common.c:247 [inline]
  __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
  kasan_slab_free include/linux/kasan.h:233 [inline]
  slab_free_hook mm/slub.c:2353 [inline]
  slab_free mm/slub.c:4609 [inline]
  kfree+0x196/0x430 mm/slub.c:4757
  kobject_rename+0x38f/0x410 lib/kobject.c:524
  device_rename+0x16a/0x200 drivers/base/core.c:4525
  ib_device_rename+0x270/0x710 drivers/infiniband/core/device.c:402
  nldev_set_doit+0x30e/0x4c0 drivers/infiniband/core/nldev.c:1146
  rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
  rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259
  netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
  netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339
  netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883
  sock_sendmsg_nosec net/socket.c:709 [inline]
  __sock_sendmsg+0x221/0x270 net/socket.c:724
  ____sys_sendmsg+0x53a/0x860 net/socket.c:2564
  ___sys_sendmsg net/socket.c:2618 [inline]
  __sys_sendmsg+0x269/0x350 net/socket.c:2650
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x77/0x7f

 This is because if rename device happens, the old name is freed in
 ib_device_rename() with lock, but ib_device_notify_register() may visit
 the dev name locklessly by event RDMA_REGISTER_EVENT or
 RDMA_NETDEV_ATTACH_EVENT.

 Fix this by hold devices_rwsem in ib_device_notify_register().

 The Linux kernel CVE team has assigned CVE-2025-22085 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.12 with commit 9cbed5aab5aeea420d0aa945733bf608449d44fb and fixed in 6.12.23 with commit 0d6460b9d2a3ee380940bdf47680751ef91cb88e
 	Issue introduced in 6.12 with commit 9cbed5aab5aeea420d0aa945733bf608449d44fb and fixed in 6.13.11 with commit 56ec8580be5174b2b9774066e60f1aad56d201db
 	Issue introduced in 6.12 with commit 9cbed5aab5aeea420d0aa945733bf608449d44fb and fixed in 6.14.2 with commit edf6b543e81ba68c6dbac2499ab362098a5a9716
 	Issue introduced in 6.12 with commit 9cbed5aab5aeea420d0aa945733bf608449d44fb and fixed in 6.15 with commit 1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22085
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/infiniband/core/device.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0d6460b9d2a3ee380940bdf47680751ef91cb88e
 	https://git.kernel.org/stable/c/56ec8580be5174b2b9774066e60f1aad56d201db
 	https://git.kernel.org/stable/c/edf6b543e81ba68c6dbac2499ab362098a5a9716
 	https://git.kernel.org/stable/c/1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22085: RDMA/core: Fix use-after-free when rename device name

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RDMA/core: Fix use-after-free when rename device name

	Syzbot reported a slab-use-after-free with the following call trace:

	==================================================================
	BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099
	Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025

	CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988
	Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0
	Hardware name: Google Compute Engine, BIOS Google 02/12/2025
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:94 [inline]
	dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
	print_address_description mm/kasan/report.c:408 [inline]
	print_report+0x16e/0x5b0 mm/kasan/report.c:521
	kasan_report+0x143/0x180 mm/kasan/report.c:634
	kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
	__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
	nla_put+0xd3/0x150 lib/nlattr.c:1099
	nla_put_string include/net/netlink.h:1621 [inline]
	fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265
	rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857
	ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344
	ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460
	rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540
	rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550
	rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212
	nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795
	rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
	rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259
	netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
	netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339
	netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883
	sock_sendmsg_nosec net/socket.c:709 [inline]
	__sock_sendmsg+0x221/0x270 net/socket.c:724
	____sys_sendmsg+0x53a/0x860 net/socket.c:2564
	___sys_sendmsg net/socket.c:2618 [inline]
	__sys_sendmsg+0x269/0x350 net/socket.c:2650
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f
	RIP: 0033:0x7f42d1b8d169
	Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ...
	RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
	RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169
	RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c
	RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000
	R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
	R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8
	</TASK>

	Allocated by task 10025:
	kasan_save_stack mm/kasan/common.c:47 [inline]
	kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
	poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
	__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
	kasan_kmalloc include/linux/kasan.h:260 [inline]
	__do_kmalloc_node mm/slub.c:4294 [inline]
	__kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313
	__kmemdup_nul mm/util.c:61 [inline]
	kstrdup+0x42/0x100 mm/util.c:81
	kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274
	dev_set_name+0xd5/0x120 drivers/base/core.c:3468
	assign_name drivers/infiniband/core/device.c:1202 [inline]
	ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384
	rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540
	rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550
	rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212
	nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795
	rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
	rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259
	netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
	netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339
	netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883
	sock_sendmsg_nosec net/socket.c:709 [inline]
	__sock_sendmsg+0x221/0x270 net/socket.c:724
	____sys_sendmsg+0x53a/0x860 net/socket.c:2564
	___sys_sendmsg net/socket.c:2618 [inline]
	__sys_sendmsg+0x269/0x350 net/socket.c:2650
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	Freed by task 10035:
	kasan_save_stack mm/kasan/common.c:47 [inline]
	kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
	kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576
	poison_slab_object mm/kasan/common.c:247 [inline]
	__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
	kasan_slab_free include/linux/kasan.h:233 [inline]
	slab_free_hook mm/slub.c:2353 [inline]
	slab_free mm/slub.c:4609 [inline]
	kfree+0x196/0x430 mm/slub.c:4757
	kobject_rename+0x38f/0x410 lib/kobject.c:524
	device_rename+0x16a/0x200 drivers/base/core.c:4525
	ib_device_rename+0x270/0x710 drivers/infiniband/core/device.c:402
	nldev_set_doit+0x30e/0x4c0 drivers/infiniband/core/nldev.c:1146
	rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
	rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259
	netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
	netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339
	netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883
	sock_sendmsg_nosec net/socket.c:709 [inline]
	__sock_sendmsg+0x221/0x270 net/socket.c:724
	____sys_sendmsg+0x53a/0x860 net/socket.c:2564
	___sys_sendmsg net/socket.c:2618 [inline]
	__sys_sendmsg+0x269/0x350 net/socket.c:2650
	do_syscall_x64 arch/x86/entry/common.c:52 [inline]
	do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
	entry_SYSCALL_64_after_hwframe+0x77/0x7f

	This is because if rename device happens, the old name is freed in
	ib_device_rename() with lock, but ib_device_notify_register() may visit
	the dev name locklessly by event RDMA_REGISTER_EVENT or
	RDMA_NETDEV_ATTACH_EVENT.

	Fix this by hold devices_rwsem in ib_device_notify_register().

	The Linux kernel CVE team has assigned CVE-2025-22085 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.12 with commit 9cbed5aab5aeea420d0aa945733bf608449d44fb and fixed in 6.12.23 with commit 0d6460b9d2a3ee380940bdf47680751ef91cb88e
	Issue introduced in 6.12 with commit 9cbed5aab5aeea420d0aa945733bf608449d44fb and fixed in 6.13.11 with commit 56ec8580be5174b2b9774066e60f1aad56d201db
	Issue introduced in 6.12 with commit 9cbed5aab5aeea420d0aa945733bf608449d44fb and fixed in 6.14.2 with commit edf6b543e81ba68c6dbac2499ab362098a5a9716
	Issue introduced in 6.12 with commit 9cbed5aab5aeea420d0aa945733bf608449d44fb and fixed in 6.15 with commit 1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22085
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/infiniband/core/device.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0d6460b9d2a3ee380940bdf47680751ef91cb88e
	https://git.kernel.org/stable/c/56ec8580be5174b2b9774066e60f1aad56d201db
	https://git.kernel.org/stable/c/edf6b543e81ba68c6dbac2499ab362098a5a9716
	https://git.kernel.org/stable/c/1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd