CVE-2025-38106
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
03/07/2025
Last modified:
20/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()<br />
<br />
syzbot reports:<br />
<br />
BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60<br />
Read of size 8 at addr ffff88810de2d2c8 by task a.out/304<br />
<br />
CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary)<br />
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x53/0x70<br />
print_report+0xd0/0x670<br />
? __pfx__raw_spin_lock_irqsave+0x10/0x10<br />
? getrusage+0x1109/0x1a60<br />
kasan_report+0xce/0x100<br />
? getrusage+0x1109/0x1a60<br />
getrusage+0x1109/0x1a60<br />
? __pfx_getrusage+0x10/0x10<br />
__io_uring_show_fdinfo+0x9fe/0x1790<br />
? ksys_read+0xf7/0x1c0<br />
? do_syscall_64+0xa4/0x260<br />
? vsnprintf+0x591/0x1100<br />
? __pfx___io_uring_show_fdinfo+0x10/0x10<br />
? __pfx_vsnprintf+0x10/0x10<br />
? mutex_trylock+0xcf/0x130<br />
? __pfx_mutex_trylock+0x10/0x10<br />
? __pfx_show_fd_locks+0x10/0x10<br />
? io_uring_show_fdinfo+0x57/0x80<br />
io_uring_show_fdinfo+0x57/0x80<br />
seq_show+0x38c/0x690<br />
seq_read_iter+0x3f7/0x1180<br />
? inode_set_ctime_current+0x160/0x4b0<br />
seq_read+0x271/0x3e0<br />
? __pfx_seq_read+0x10/0x10<br />
? __pfx__raw_spin_lock+0x10/0x10<br />
? __mark_inode_dirty+0x402/0x810<br />
? selinux_file_permission+0x368/0x500<br />
? file_update_time+0x10f/0x160<br />
vfs_read+0x177/0xa40<br />
? __pfx___handle_mm_fault+0x10/0x10<br />
? __pfx_vfs_read+0x10/0x10<br />
? mutex_lock+0x81/0xe0<br />
? __pfx_mutex_lock+0x10/0x10<br />
? fdget_pos+0x24d/0x4b0<br />
ksys_read+0xf7/0x1c0<br />
? __pfx_ksys_read+0x10/0x10<br />
? do_user_addr_fault+0x43b/0x9c0<br />
do_syscall_64+0xa4/0x260<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
RIP: 0033:0x7f0f74170fc9<br />
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 8<br />
RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000<br />
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9<br />
RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004<br />
RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90<br />
R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100<br />
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br />
<br />
<br />
Allocated by task 298:<br />
kasan_save_stack+0x33/0x60<br />
kasan_save_track+0x14/0x30<br />
__kasan_slab_alloc+0x6e/0x70<br />
kmem_cache_alloc_node_noprof+0xe8/0x330<br />
copy_process+0x376/0x5e00<br />
create_io_thread+0xab/0xf0<br />
io_sq_offload_create+0x9ed/0xf20<br />
io_uring_setup+0x12b0/0x1cc0<br />
do_syscall_64+0xa4/0x260<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
Freed by task 22:<br />
kasan_save_stack+0x33/0x60<br />
kasan_save_track+0x14/0x30<br />
kasan_save_free_info+0x3b/0x60<br />
__kasan_slab_free+0x37/0x50<br />
kmem_cache_free+0xc4/0x360<br />
rcu_core+0x5ff/0x19f0<br />
handle_softirqs+0x18c/0x530<br />
run_ksoftirqd+0x20/0x30<br />
smpboot_thread_fn+0x287/0x6c0<br />
kthread+0x30d/0x630<br />
ret_from_fork+0xef/0x1a0<br />
ret_from_fork_asm+0x1a/0x30<br />
<br />
Last potentially related work creation:<br />
kasan_save_stack+0x33/0x60<br />
kasan_record_aux_stack+0x8c/0xa0<br />
__call_rcu_common.constprop.0+0x68/0x940<br />
__schedule+0xff2/0x2930<br />
__cond_resched+0x4c/0x80<br />
mutex_lock+0x5c/0xe0<br />
io_uring_del_tctx_node+0xe1/0x2b0<br />
io_uring_clean_tctx+0xb7/0x160<br />
io_uring_cancel_generic+0x34e/0x760<br />
do_exit+0x240/0x2350<br />
do_group_exit+0xab/0x220<br />
__x64_sys_exit_group+0x39/0x40<br />
x64_sys_call+0x1243/0x1840<br />
do_syscall_64+0xa4/0x260<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
The buggy address belongs to the object at ffff88810de2cb00<br />
which belongs to the cache task_struct of size 3712<br />
The buggy address is located 1992 bytes inside of<br />
freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)<br />
<br />
which is caused by the task_struct pointed to by sq->thread being<br />
released while it is being used in the function<br />
__io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre<br />
relase or exit of sq->thread.<br />
<br />
Fix this by assigning and looking up ->thread under RCU, and grabbing a<br />
reference to the task_struct. This e<br />
---truncated---
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.9 (including) | 6.12.34 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.3 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page