Acknowledged
Created: Jul 11, 2025
Updated: Jul 14, 2025
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net: atm: add lec_mutex[EOL][EOL]syzbot found its way in net/atm/lec.c, and found an error path[EOL]in lecd_attach() could leave a dangling pointer in dev_lec[].[EOL][EOL]Add a mutex to protect dev_lecp[] uses from lecd_attach(),[EOL]lec_vcc_attach() and lec_mcast_attach().[EOL][EOL]Following patch will use this mutex for /proc/net/atm/lec.[EOL][EOL]BUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline][EOL]BUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008[EOL]Read of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142[EOL][EOL]CPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full)[EOL]Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025[EOL]Call Trace:[EOL] <TASK>[EOL] __dump_stack lib/dump_stack.c:94 [inline][EOL] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120[EOL] print_address_description mm/kasan/report.c:408 [inline][EOL] print_report+0xcd/0x680 mm/kasan/report.c:521[EOL] kasan_report+0xe0/0x110 mm/kasan/report.c:634[EOL] lecd_attach net/atm/lec.c:751 [inline][EOL] lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008[EOL] do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159[EOL] sock_do_ioctl+0x118/0x280 net/socket.c:1190[EOL] sock_ioctl+0x227/0x6b0 net/socket.c:1311[EOL] vfs_ioctl fs/ioctl.c:51 [inline][EOL] __do_sys_ioctl fs/ioctl.c:907 [inline][EOL] __se_sys_ioctl fs/ioctl.c:893 [inline][EOL] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893[EOL] do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline][EOL] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL] </TASK>[EOL][EOL]Allocated by task 6132:[EOL] kasan_save_stack+0x33/0x60 mm/kasan/common.c:47[EOL] kasan_save_track+0x14/0x30 mm/kasan/common.c:68[EOL] poison_kmalloc_redzone mm/kasan/common.c:377 [inline][EOL] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394[EOL] kasan_kmalloc include/linux/kasan.h:260 [inline][EOL] __do_kmalloc_node mm/slub.c:4328 [inline][EOL] __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015[EOL] alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711[EOL] lecd_attach net/atm/lec.c:737 [inline][EOL] lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008[EOL] do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159[EOL] sock_do_ioctl+0x118/0x280 net/socket.c:1190[EOL] sock_ioctl+0x227/0x6b0 net/socket.c:1311[EOL] vfs_ioctl fs/ioctl.c:51 [inline][EOL] __do_sys_ioctl fs/ioctl.c:907 [inline][EOL] __se_sys_ioctl fs/ioctl.c:893 [inline][EOL] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893[EOL] do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline][EOL] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL][EOL]Freed by task 6132:[EOL] kasan_save_stack+0x33/0x60 mm/kasan/common.c:47[EOL] kasan_save_track+0x14/0x30 mm/kasan/common.c:68[EOL] kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576[EOL] poison_slab_object mm/kasan/common.c:247 [inline][EOL] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264[EOL] kasan_slab_free include/linux/kasan.h:233 [inline][EOL] slab_free_hook mm/slub.c:2381 [inline][EOL] slab_free mm/slub.c:4643 [inline][EOL] kfree+0x2b4/0x4d0 mm/slub.c:4842[EOL] free_netdev+0x6c5/0x910 net/core/dev.c:11892[EOL] lecd_attach net/atm/lec.c:744 [inline][EOL] lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008[EOL] do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159[EOL] sock_do_ioctl+0x118/0x280 net/socket.c:1190[EOL] sock_ioctl+0x227/0x6b0 net/socket.c:1311[EOL] vfs_ioctl fs/ioctl.c:51 [inline][EOL] __do_sys_ioctl fs/ioctl.c:907 [inline][EOL] __se_sys_ioctl fs/ioctl.c:893 [inline][EOL] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893
CREATE(Triage):(User=admin) [CVE-2025-38323 (https://nvd.nist.gov/vuln/detail/CVE-2025-38323)
