Bug 2360270 (CVE-2025-22057) - CVE-2025-22057 kernel: net: decrease cached dst counters in dst_release
Summary: CVE-2025-22057 kernel: net: decrease cached dst counters in dst_release
Keywords:
Status: NEW
Alias: CVE-2025-22057
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-16 15:05 UTC by OSIDB Bzimport
Modified: 2025-04-17 09:29 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-04-16 15:05:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: decrease cached dst counters in dst_release

Upstream fix ac888d58869b ("net: do not delay dst_entries_add() in
dst_release()") moved decrementing the dst count from dst_destroy to
dst_release to avoid accessing already freed data in case of netns
dismantle. However in case CONFIG_DST_CACHE is enabled and OvS+tunnels
are used, this fix is incomplete as the same issue will be seen for
cached dsts:

  Unable to handle kernel paging request at virtual address ffff5aabf6b5c000
  Call trace:
   percpu_counter_add_batch+0x3c/0x160 (P)
   dst_release+0xec/0x108
   dst_cache_destroy+0x68/0xd8
   dst_destroy+0x13c/0x168
   dst_destroy_rcu+0x1c/0xb0
   rcu_do_batch+0x18c/0x7d0
   rcu_core+0x174/0x378
   rcu_core_si+0x18/0x30

Fix this by invalidating the cache, and thus decrementing cached dst
counters, in dst_release too.
Comment 1 Avinash Hanwate 2025-04-17 08:18:08 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025041605-CVE-2025-22057-fb12@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.