Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]tipc: Fix use-after-free in tipc_conn_close().[EOL][EOL]syzbot reported a null-ptr-deref in tipc_conn_close() during netns[EOL]dismantle. [0][EOL][EOL]tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls[EOL]tipc_conn_close() for each tipc_conn.[EOL][EOL]The problem is that tipc_conn_close() is called after releasing the[EOL]IDR lock.[EOL][EOL]At the same time, there might be tipc_conn_recv_work() running and it[EOL]could call tipc_conn_close() for the same tipc_conn and release its[EOL]last ->kref.[EOL][EOL]Once we release the IDR lock in tipc_topsrv_stop(), there is no[EOL]guarantee that the tipc_conn is alive.[EOL][EOL]Let's hold the ref before releasing the lock and put the ref after[EOL]tipc_conn_close() in tipc_topsrv_stop().[EOL][EOL][0]:[EOL]BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165[EOL]Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435[EOL][EOL]CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0[EOL]Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011[EOL]Workqueue: netns cleanup_net[EOL]Call Trace:[EOL] __dump_stack lib/dump_stack.c:77 [inline][EOL] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118[EOL] print_address_description.cold+0x54/0x219 mm/kasan/report.c:256[EOL] kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354[EOL] kasan_report mm/kasan/report.c:412 [inline][EOL] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433[EOL] tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165[EOL] tipc_topsrv_stop net/tipc/topsrv.c:701 [inline][EOL] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722[EOL] ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153[EOL] cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553[EOL] process_one_work+0x864/0x1570 kernel/workqueue.c:2153[EOL] worker_thread+0x64c/0x1130 kernel/workqueue.c:2296[EOL] kthread+0x33f/0x460 kernel/kthread.c:259[EOL] ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415[EOL][EOL]Allocated by task 23:[EOL] kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625[EOL] kmalloc include/linux/slab.h:515 [inline][EOL] kzalloc include/linux/slab.h:709 [inline][EOL] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192[EOL] tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470[EOL] process_one_work+0x864/0x1570 kernel/workqueue.c:2153[EOL] worker_thread+0x64c/0x1130 kernel/workqueue.c:2296[EOL] kthread+0x33f/0x460 kernel/kthread.c:259[EOL] ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415[EOL][EOL]Freed by task 23:[EOL] __cache_free mm/slab.c:3503 [inline][EOL] kfree+0xcc/0x210 mm/slab.c:3822[EOL] tipc_conn_kref_release net/tipc/topsrv.c:150 [inline][EOL] kref_put include/linux/kref.h:70 [inline][EOL] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155[EOL] process_one_work+0x864/0x1570 kernel/workqueue.c:2153[EOL] worker_thread+0x64c/0x1130 kernel/workqueue.c:2296[EOL] kthread+0x33f/0x460 kernel/kthread.c:259[EOL] ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415[EOL][EOL]The buggy address belongs to the object at ffff888099305a00[EOL] which belongs to the cache kmalloc-512 of size 512[EOL]The buggy address is located 8 bytes inside of[EOL] 512-byte region [ffff888099305a00, ffff888099305c00)[EOL]The buggy address belongs to the page:[EOL]page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0[EOL]flags: 0xfff00000000100(slab)[EOL]raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940[EOL]raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000[EOL]page dumped because: kasan: bad access detected[EOL][EOL]Memory state around the buggy address:[EOL] ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[EOL] ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc[EOL]>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[EOL]                      ^[EOL] ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb[EOL] ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

CREATE(Triage):(User=admin) [CVE-2025-38464 (https://nvd.nist.gov/vuln/detail/CVE-2025-38464)