cve/published/2025/CVE-2025-37894.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37894: net: use sock_gen_put() when sk_state is TCP_TIME_WAIT

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: use sock_gen_put() when sk_state is TCP_TIME_WAIT

 It is possible for a pointer of type struct inet_timewait_sock to be
 returned from the functions __inet_lookup_established() and
 __inet6_lookup_established(). This can cause a crash when the
 returned pointer is of type struct inet_timewait_sock and
 sock_put() is called on it. The following is a crash call stack that
 shows sk->sk_wmem_alloc being accessed in sk_free() during the call to
 sock_put() on a struct inet_timewait_sock pointer. To avoid this issue,
 use sock_gen_put() instead of sock_put() when sk->sk_state
 is TCP_TIME_WAIT.

 mrdump.ko        ipanic() + 120
 vmlinux          notifier_call_chain(nr_to_call=-1, nr_calls=0) + 132
 vmlinux          atomic_notifier_call_chain(val=0) + 56
 vmlinux          panic() + 344
 vmlinux          add_taint() + 164
 vmlinux          end_report() + 136
 vmlinux          kasan_report(size=0) + 236
 vmlinux          report_tag_fault() + 16
 vmlinux          do_tag_recovery() + 16
 vmlinux          __do_kernel_fault() + 88
 vmlinux          do_bad_area() + 28
 vmlinux          do_tag_check_fault() + 60
 vmlinux          do_mem_abort() + 80
 vmlinux          el1_abort() + 56
 vmlinux          el1h_64_sync_handler() + 124
 vmlinux        > 0xFFFFFFC080011294()
 vmlinux          __lse_atomic_fetch_add_release(v=0xF2FFFF82A896087C)
 vmlinux          __lse_atomic_fetch_sub_release(v=0xF2FFFF82A896087C)
 vmlinux          arch_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C)
 + 8
 vmlinux          raw_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C)
 + 8
 vmlinux          atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8
 vmlinux          __refcount_sub_and_test(i=1, r=0xF2FFFF82A896087C,
 oldp=0) + 8
 vmlinux          __refcount_dec_and_test(r=0xF2FFFF82A896087C, oldp=0) + 8
 vmlinux          refcount_dec_and_test(r=0xF2FFFF82A896087C) + 8
 vmlinux          sk_free(sk=0xF2FFFF82A8960700) + 28
 vmlinux          sock_put() + 48
 vmlinux          tcp6_check_fraglist_gro() + 236
 vmlinux          tcp6_gro_receive() + 624
 vmlinux          ipv6_gro_receive() + 912
 vmlinux          dev_gro_receive() + 1116
 vmlinux          napi_gro_receive() + 196
 ccmni.ko         ccmni_rx_callback() + 208
 ccmni.ko         ccmni_queue_recv_skb() + 388
 ccci_dpmaif.ko   dpmaif_rxq_push_thread() + 1088
 vmlinux          kthread() + 268
 vmlinux          0xFFFFFFC08001F30C()

 The Linux kernel CVE team has assigned CVE-2025-37894 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.10 with commit c9d1d23e5239f41700be69133a5769ac5ebc88a8 and fixed in 6.12.28 with commit c0dba059b118b5206e755042b15b49368a388898
 	Issue introduced in 6.10 with commit c9d1d23e5239f41700be69133a5769ac5ebc88a8 and fixed in 6.14.6 with commit 786650e644c5b1c063921799ca203c0b8670d79a
 	Issue introduced in 6.10 with commit c9d1d23e5239f41700be69133a5769ac5ebc88a8 and fixed in 6.15 with commit f920436a44295ca791ebb6dae3f4190142eec703

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37894
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/tcp_offload.c
 	net/ipv6/tcpv6_offload.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c0dba059b118b5206e755042b15b49368a388898
 	https://git.kernel.org/stable/c/786650e644c5b1c063921799ca203c0b8670d79a
 	https://git.kernel.org/stable/c/f920436a44295ca791ebb6dae3f4190142eec703
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37894: net: use sock_gen_put() when sk_state is TCP_TIME_WAIT

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: use sock_gen_put() when sk_state is TCP_TIME_WAIT

	It is possible for a pointer of type struct inet_timewait_sock to be
	returned from the functions __inet_lookup_established() and
	__inet6_lookup_established(). This can cause a crash when the
	returned pointer is of type struct inet_timewait_sock and
	sock_put() is called on it. The following is a crash call stack that
	shows sk->sk_wmem_alloc being accessed in sk_free() during the call to
	sock_put() on a struct inet_timewait_sock pointer. To avoid this issue,
	use sock_gen_put() instead of sock_put() when sk->sk_state
	is TCP_TIME_WAIT.

	mrdump.ko ipanic() + 120
	vmlinux notifier_call_chain(nr_to_call=-1, nr_calls=0) + 132
	vmlinux atomic_notifier_call_chain(val=0) + 56
	vmlinux panic() + 344
	vmlinux add_taint() + 164
	vmlinux end_report() + 136
	vmlinux kasan_report(size=0) + 236
	vmlinux report_tag_fault() + 16
	vmlinux do_tag_recovery() + 16
	vmlinux __do_kernel_fault() + 88
	vmlinux do_bad_area() + 28
	vmlinux do_tag_check_fault() + 60
	vmlinux do_mem_abort() + 80
	vmlinux el1_abort() + 56
	vmlinux el1h_64_sync_handler() + 124
	vmlinux > 0xFFFFFFC080011294()
	vmlinux __lse_atomic_fetch_add_release(v=0xF2FFFF82A896087C)
	vmlinux __lse_atomic_fetch_sub_release(v=0xF2FFFF82A896087C)
	vmlinux arch_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C)
	+ 8
	vmlinux raw_atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C)
	+ 8
	vmlinux atomic_fetch_sub_release(i=1, v=0xF2FFFF82A896087C) + 8
	vmlinux __refcount_sub_and_test(i=1, r=0xF2FFFF82A896087C,
	oldp=0) + 8
	vmlinux __refcount_dec_and_test(r=0xF2FFFF82A896087C, oldp=0) + 8
	vmlinux refcount_dec_and_test(r=0xF2FFFF82A896087C) + 8
	vmlinux sk_free(sk=0xF2FFFF82A8960700) + 28
	vmlinux sock_put() + 48
	vmlinux tcp6_check_fraglist_gro() + 236
	vmlinux tcp6_gro_receive() + 624
	vmlinux ipv6_gro_receive() + 912
	vmlinux dev_gro_receive() + 1116
	vmlinux napi_gro_receive() + 196
	ccmni.ko ccmni_rx_callback() + 208
	ccmni.ko ccmni_queue_recv_skb() + 388
	ccci_dpmaif.ko dpmaif_rxq_push_thread() + 1088
	vmlinux kthread() + 268
	vmlinux 0xFFFFFFC08001F30C()

	The Linux kernel CVE team has assigned CVE-2025-37894 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.10 with commit c9d1d23e5239f41700be69133a5769ac5ebc88a8 and fixed in 6.12.28 with commit c0dba059b118b5206e755042b15b49368a388898
	Issue introduced in 6.10 with commit c9d1d23e5239f41700be69133a5769ac5ebc88a8 and fixed in 6.14.6 with commit 786650e644c5b1c063921799ca203c0b8670d79a
	Issue introduced in 6.10 with commit c9d1d23e5239f41700be69133a5769ac5ebc88a8 and fixed in 6.15 with commit f920436a44295ca791ebb6dae3f4190142eec703

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37894
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/tcp_offload.c
	net/ipv6/tcpv6_offload.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c0dba059b118b5206e755042b15b49368a388898
	https://git.kernel.org/stable/c/786650e644c5b1c063921799ca203c0b8670d79a
	https://git.kernel.org/stable/c/f920436a44295ca791ebb6dae3f4190142eec703