CVE-2025-40186

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: Don&amp;#39;t call reqsk_fastopen_remove() in tcp_conn_request().<br /> <br /> syzbot reported the splat below in tcp_conn_request(). [0]<br /> <br /> If a listener is close()d while a TFO socket is being processed in<br /> tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk-&gt;sk<br /> and calls inet_child_forget(), which calls tcp_disconnect() for the<br /> TFO socket.<br /> <br /> After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),<br /> where reqsk_put() is called due to !reqsk-&gt;sk.<br /> <br /> Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the<br /> last req-&gt;rsk_refcnt and frees reqsk, and __reqsk_free() at the<br /> drop_and_free label causes the refcount underflow for the listener<br /> and double-free of the reqsk.<br /> <br /> Let&amp;#39;s remove reqsk_fastopen_remove() in tcp_conn_request().<br /> <br /> Note that other callers make sure tp-&gt;fastopen_rsk is not NULL.<br /> <br /> [0]:<br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)<br /> Modules linked in:<br /> CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025<br /> RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)<br /> Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6<br /> RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246<br /> RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900<br /> RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280<br /> RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280<br /> R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100<br /> R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8<br /> FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0<br /> Call Trace:<br /> <br /> tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301)<br /> tcp_rcv_state_process (net/ipv4/tcp_input.c:6708)<br /> tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670)<br /> tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906)<br /> ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438)<br /> ip6_input (net/ipv6/ip6_input.c:500)<br /> ipv6_rcv (net/ipv6/ip6_input.c:311)<br /> __netif_receive_skb (net/core/dev.c:6104)<br /> process_backlog (net/core/dev.c:6456)<br /> __napi_poll (net/core/dev.c:7506)<br /> net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696)<br /> handle_softirqs (kernel/softirq.c:579)<br /> do_softirq (kernel/softirq.c:480)<br />