CVE-2025-38500

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: interface: fix use-after-free after changing collect_md xfrm interface<br /> <br /> collect_md property on xfrm interfaces can only be set on device creation,<br /> thus xfrmi_changelink() should fail when called on such interfaces.<br /> <br /> The check to enforce this was done only in the case where the xi was<br /> returned from xfrmi_locate() which doesn&amp;#39;t look for the collect_md<br /> interface, and thus the validation was never reached.<br /> <br /> Calling changelink would thus errornously place the special interface xi<br /> in the xfrmi_net-&gt;xfrmi hash, but since it also exists in the<br /> xfrmi_net-&gt;collect_md_xfrmi pointer it would lead to a double free when<br /> the net namespace was taken down [1].<br /> <br /> Change the check to use the xi from netdev_priv which is available earlier<br /> in the function to prevent changes in xfrm collect_md interfaces.<br /> <br /> [1] resulting oops:<br /> [ 8.516540] kernel BUG at net/core/dev.c:12029!<br /> [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)<br /> [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 8.516569] Workqueue: netns cleanup_net<br /> [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0<br /> [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24<br /> [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206<br /> [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60<br /> [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122<br /> [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100<br /> [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00<br /> [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00<br /> [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000<br /> [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0<br /> [ 8.516625] PKRU: 55555554<br /> [ 8.516627] Call Trace:<br /> [ 8.516632] <br /> [ 8.516635] ? rtnl_is_locked+0x15/0x20<br /> [ 8.516641] ? unregister_netdevice_queue+0x29/0xf0<br /> [ 8.516650] ops_undo_list+0x1f2/0x220<br /> [ 8.516659] cleanup_net+0x1ad/0x2e0<br /> [ 8.516664] process_one_work+0x160/0x380<br /> [ 8.516673] worker_thread+0x2aa/0x3c0<br /> [ 8.516679] ? __pfx_worker_thread+0x10/0x10<br /> [ 8.516686] kthread+0xfb/0x200<br /> [ 8.516690] ? __pfx_kthread+0x10/0x10<br /> [ 8.516693] ? __pfx_kthread+0x10/0x10<br /> [ 8.516697] ret_from_fork+0x82/0xf0<br /> [ 8.516705] ? __pfx_kthread+0x10/0x10<br /> [ 8.516709] ret_from_fork_asm+0x1a/0x30<br /> [ 8.516718]