CVE-2025-38019

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices<br /> <br /> The driver only offloads neighbors that are constructed on top of net<br /> devices registered by it or their uppers (which are all Ethernet). The<br /> device supports GRE encapsulation and decapsulation of forwarded<br /> traffic, but the driver will not offload dummy neighbors constructed on<br /> top of GRE net devices as they are not uppers of its net devices:<br /> <br /> # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1<br /> # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1<br /> $ ip neigh show dev gre1 nud noarp<br /> 0.0.0.0 lladdr 0.0.0.0 NOARP<br /> <br /> (Note that the neighbor is not marked with &amp;#39;offload&amp;#39;)<br /> <br /> When the driver is reloaded and the existing configuration is replayed,<br /> the driver does not perform the same check regarding existing neighbors<br /> and offloads the previously added one:<br /> <br /> # devlink dev reload pci/0000:01:00.0<br /> $ ip neigh show dev gre1 nud noarp<br /> 0.0.0.0 lladdr 0.0.0.0 offload NOARP<br /> <br /> If the neighbor is later deleted, the driver will ignore the<br /> notification (given the GRE net device is not its upper) and will<br /> therefore keep referencing freed memory, resulting in a use-after-free<br /> [1] when the net device is deleted:<br /> <br /> # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1<br /> # ip link del dev gre1<br /> <br /> Fix by skipping neighbor replay if the net device for which the replay<br /> is performed is not our upper.<br /> <br /> [1]<br /> BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200<br /> Read of size 8 at addr ffff888155b0e420 by task ip/2282<br /> [...]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x6f/0xa0<br /> print_address_description.constprop.0+0x6f/0x350<br /> print_report+0x108/0x205<br /> kasan_report+0xdf/0x110<br /> mlxsw_sp_neigh_entry_update+0x1ea/0x200<br /> mlxsw_sp_router_rif_gone_sync+0x2a8/0x440<br /> mlxsw_sp_rif_destroy+0x1e9/0x750<br /> mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0<br /> mlxsw_sp_router_netdevice_event+0x3ac/0x15e0<br /> notifier_call_chain+0xca/0x150<br /> call_netdevice_notifiers_info+0x7f/0x100<br /> unregister_netdevice_many_notify+0xc8c/0x1d90<br /> rtnl_dellink+0x34e/0xa50<br /> rtnetlink_rcv_msg+0x6fb/0xb70<br /> netlink_rcv_skb+0x131/0x360<br /> netlink_unicast+0x426/0x710<br /> netlink_sendmsg+0x75a/0xc20<br /> __sock_sendmsg+0xc1/0x150<br /> ____sys_sendmsg+0x5aa/0x7b0<br /> ___sys_sendmsg+0xfc/0x180<br /> __sys_sendmsg+0x121/0x1b0<br /> do_syscall_64+0xbb/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53