CVE-2025-40297

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: fix use-after-free due to MST port state bypass<br /> <br /> syzbot reported[1] a use-after-free when deleting an expired fdb. It is<br /> due to a race condition between learning still happening and a port being<br /> deleted, after all its fdbs have been flushed. The port&amp;#39;s state has been<br /> toggled to disabled so no learning should happen at that time, but if we<br /> have MST enabled, it will bypass the port&amp;#39;s state, that together with VLAN<br /> filtering disabled can lead to fdb learning at a time when it shouldn&amp;#39;t<br /> happen while the port is being deleted. VLAN filtering must be disabled<br /> because we flush the port VLANs when it&amp;#39;s being deleted which will stop<br /> learning. This fix adds a check for the port&amp;#39;s vlan group which is<br /> initialized to NULL when the port is getting deleted, that avoids the port<br /> state bypass. When MST is enabled there would be a minimal new overhead<br /> in the fast-path because the port&amp;#39;s vlan group pointer is cache-hot.<br /> <br /> [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be