Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]xfrm: interface: fix use-after-free after changing collect_md xfrm interface[EOL][EOL]collect_md property on xfrm interfaces can only be set on device creation,[EOL]thus xfrmi_changelink() should fail when called on such interfaces.[EOL][EOL]The check to enforce this was done only in the case where the xi was[EOL]returned from xfrmi_locate() which doesn't look for the collect_md[EOL]interface, and thus the validation was never reached.[EOL][EOL]Calling changelink would thus errornously place the special interface xi[EOL]in the xfrmi_net->xfrmi hash, but since it also exists in the[EOL]xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when[EOL]the net namespace was taken down [1].[EOL][EOL]Change the check to use the xi from netdev_priv which is available earlier[EOL]in the function to prevent changes in xfrm collect_md interfaces.[EOL][EOL][1] resulting oops:[EOL][    8.516540] kernel BUG at net/core/dev.c:12029![EOL][    8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI[EOL][    8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)[EOL][    8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[EOL][    8.516569] Workqueue: netns cleanup_net[EOL][    8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0[EOL][    8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24[EOL][    8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206[EOL][    8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60[EOL][    8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122[EOL][    8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100[EOL][    8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00[EOL][    8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00[EOL][    8.516615] FS:  0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000[EOL][    8.516619] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL][    8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0[EOL][    8.516625] PKRU: 55555554[EOL][    8.516627] Call Trace:[EOL][    8.516632]  <TASK>[EOL][    8.516635]  ? rtnl_is_locked+0x15/0x20[EOL][    8.516641]  ? unregister_netdevice_queue+0x29/0xf0[EOL][    8.516650]  ops_undo_list+0x1f2/0x220[EOL][    8.516659]  cleanup_net+0x1ad/0x2e0[EOL][    8.516664]  process_one_work+0x160/0x380[EOL][    8.516673]  worker_thread+0x2aa/0x3c0[EOL][    8.516679]  ? __pfx_worker_thread+0x10/0x10[EOL][    8.516686]  kthread+0xfb/0x200[EOL][    8.516690]  ? __pfx_kthread+0x10/0x10[EOL][    8.516693]  ? __pfx_kthread+0x10/0x10[EOL][    8.516697]  ret_from_fork+0x82/0xf0[EOL][    8.516705]  ? __pfx_kthread+0x10/0x10[EOL][    8.516709]  ret_from_fork_asm+0x1a/0x30[EOL][    8.516718]  </TASK>

CREATE(Triage):(User=lchen-cn) [CVE-2025-38500 (https://nvd.nist.gov/vuln/detail/CVE-2025-38500)