CVE-2025-38589

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> neighbour: Fix null-ptr-deref in neigh_flush_dev().<br /> <br /> kernel test robot reported null-ptr-deref in neigh_flush_dev(). [0]<br /> <br /> The cited commit introduced per-netdev neighbour list and converted<br /> neigh_flush_dev() to use it instead of the global hash table.<br /> <br /> One thing we missed is that neigh_table_clear() calls neigh_ifdown()<br /> with NULL dev.<br /> <br /> Let&amp;#39;s restore the hash table iteration.<br /> <br /> Note that IPv6 module is no longer unloadable, so neigh_table_clear()<br /> is called only when IPv6 fails to initialise, which is unlikely to<br /> happen.<br /> <br /> [0]:<br /> IPv6: Attempt to unregister permanent protocol 136<br /> IPv6: Attempt to unregister permanent protocol 17<br /> Oops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07]<br /> CPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.12.0-rc6-01246-gf7f52738637f #1<br /> Tainted: [T]=RANDSTRUCT<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> RIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570<br /> Code: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f<br /> RSP: 0000:ffff88810026f408 EFLAGS: 00010206<br /> RAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640<br /> RBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000<br /> R13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000<br /> FS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __neigh_ifdown.llvm.6395807810224103582+0x44/0x390<br /> neigh_table_clear+0xb1/0x268<br /> ndisc_cleanup+0x21/0x38 [ipv6]<br /> init_module+0x2f5/0x468 [ipv6]<br /> do_one_initcall+0x1ba/0x628<br /> do_init_module+0x21a/0x530<br /> load_module+0x2550/0x2ea0<br /> __se_sys_finit_module+0x3d2/0x620<br /> __x64_sys_finit_module+0x76/0x88<br /> x64_sys_call+0x7ff/0xde8<br /> do_syscall_64+0xfb/0x1e8<br /> entry_SYSCALL_64_after_hwframe+0x67/0x6f<br /> RIP: 0033:0x7f575d6f2719<br /> Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48<br /> RSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139<br /> RAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719<br /> RDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004<br /> RBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00<br /> R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000<br /> R13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270<br /> <br /> Modules linked in: ipv6(+)