CVE-2025-68801

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlxsw: spectrum_router: Fix neighbour use-after-free<br /> <br /> We sometimes observe use-after-free when dereferencing a neighbour [1].<br /> The problem seems to be that the driver stores a pointer to the<br /> neighbour, but without holding a reference on it. A reference is only<br /> taken when the neighbour is used by a nexthop.<br /> <br /> Fix by simplifying the reference counting scheme. Always take a<br /> reference when storing a neighbour pointer in a neighbour entry. Avoid<br /> taking a referencing when the neighbour is used by a nexthop as the<br /> neighbour entry associated with the nexthop already holds a reference.<br /> <br /> Tested by running the test that uncovered the problem over 300 times.<br /> Without this patch the problem was reproduced after a handful of<br /> iterations.<br /> <br /> [1]<br /> BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310<br /> Read of size 8 at addr ffff88817f8e3420 by task ip/3929<br /> <br /> CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)<br /> Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x6f/0xa0<br /> print_address_description.constprop.0+0x6e/0x300<br /> print_report+0xfc/0x1fb<br /> kasan_report+0xe4/0x110<br /> mlxsw_sp_neigh_entry_update+0x2d4/0x310<br /> mlxsw_sp_router_rif_gone_sync+0x35f/0x510<br /> mlxsw_sp_rif_destroy+0x1ea/0x730<br /> mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0<br /> __mlxsw_sp_inetaddr_lag_event+0xcc/0x130<br /> __mlxsw_sp_inetaddr_event+0xf5/0x3c0<br /> mlxsw_sp_router_netdevice_event+0x1015/0x1580<br /> notifier_call_chain+0xcc/0x150<br /> call_netdevice_notifiers_info+0x7e/0x100<br /> __netdev_upper_dev_unlink+0x10b/0x210<br /> netdev_upper_dev_unlink+0x79/0xa0<br /> vrf_del_slave+0x18/0x50<br /> do_set_master+0x146/0x7d0<br /> do_setlink.isra.0+0x9a0/0x2880<br /> rtnl_newlink+0x637/0xb20<br /> rtnetlink_rcv_msg+0x6fe/0xb90<br /> netlink_rcv_skb+0x123/0x380<br /> netlink_unicast+0x4a3/0x770<br /> netlink_sendmsg+0x75b/0xc90<br /> __sock_sendmsg+0xbe/0x160<br /> ____sys_sendmsg+0x5b2/0x7d0<br /> ___sys_sendmsg+0xfd/0x180<br /> __sys_sendmsg+0x124/0x1c0<br /> do_syscall_64+0xbb/0xfd0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> [...]<br /> <br /> Allocated by task 109:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0x7b/0x90<br /> __kmalloc_noprof+0x2c1/0x790<br /> neigh_alloc+0x6af/0x8f0<br /> ___neigh_create+0x63/0xe90<br /> mlxsw_sp_nexthop_neigh_init+0x430/0x7e0<br /> mlxsw_sp_nexthop_type_init+0x212/0x960<br /> mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280<br /> mlxsw_sp_nexthop6_group_get+0x392/0x6a0<br /> mlxsw_sp_fib6_entry_create+0x46a/0xfd0<br /> mlxsw_sp_router_fib6_replace+0x1ed/0x5f0<br /> mlxsw_sp_router_fib6_event_work+0x10a/0x2a0<br /> process_one_work+0xd57/0x1390<br /> worker_thread+0x4d6/0xd40<br /> kthread+0x355/0x5b0<br /> ret_from_fork+0x1d4/0x270<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> Freed by task 154:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_save_free_info+0x3b/0x60<br /> __kasan_slab_free+0x43/0x70<br /> kmem_cache_free_bulk.part.0+0x1eb/0x5e0<br /> kvfree_rcu_bulk+0x1f2/0x260<br /> kfree_rcu_work+0x130/0x1b0<br /> process_one_work+0xd57/0x1390<br /> worker_thread+0x4d6/0xd40<br /> kthread+0x355/0x5b0<br /> ret_from_fork+0x1d4/0x270<br /> ret_from_fork_asm+0x11/0x20<br /> <br /> Last potentially related work creation:<br /> kasan_save_stack+0x30/0x50<br /> kasan_record_aux_stack+0x8c/0xa0<br /> kvfree_call_rcu+0x93/0x5b0<br /> mlxsw_sp_router_neigh_event_work+0x67d/0x860<br /> process_one_work+0xd57/0x1390<br /> worker_thread+0x4d6/0xd40<br /> kthread+0x355/0x5b0<br /> ret_from_fork+0x1d4/0x270<br /> ret_from_fork_asm+0x11/0x20