CVE-2025-38476

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rpl: Fix use-after-free in rpl_do_srh_inline().<br /> <br /> Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers<br /> the splat below [0].<br /> <br /> rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after<br /> skb_cow_head(), which is illegal as the header could be freed then.<br /> <br /> Let&amp;#39;s fix it by making oldhdr to a local struct instead of a pointer.<br /> <br /> [0]:<br /> [root@fedora net]# ./lwt_dst_cache_ref_loop.sh<br /> ...<br /> TEST: rpl (input)<br /> [ 57.631529] ==================================================================<br /> BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)<br /> Read of size 40 at addr ffff888122bf96d8 by task ping6/1543<br /> <br /> CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:122)<br /> print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)<br /> kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)<br /> kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))<br /> __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))<br /> rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)<br /> rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)<br /> lwtunnel_input (net/core/lwtunnel.c:459)<br /> ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))<br /> __netif_receive_skb_one_core (net/core/dev.c:5967)<br /> process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)<br /> __napi_poll.constprop.0 (net/core/dev.c:7452)<br /> net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)<br /> handle_softirqs (kernel/softirq.c:579)<br /> do_softirq (kernel/softirq.c:480 (discriminator 20))<br /> <br /> <br /> __local_bh_enable_ip (kernel/softirq.c:407)<br /> __dev_queue_xmit (net/core/dev.c:4740)<br /> ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)<br /> ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)<br /> ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)<br /> ip6_send_skb (net/ipv6/ip6_output.c:1983)<br /> rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)<br /> __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))<br /> __x64_sys_sendto (net/socket.c:2231)<br /> do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> RIP: 0033:0x7f68cffb2a06<br /> Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08<br /> RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c<br /> RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06<br /> RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003<br /> RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c<br /> R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4<br /> R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0<br /> <br /> <br /> Allocated by task 1543:<br /> kasan_save_stack (mm/kasan/common.c:48)<br /> kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))<br /> __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)<br /> kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)<br /> kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))<br /> __alloc_skb (net/core/skbuff.c:669)<br /> __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))<br /> ip6_<br /> ---truncated---