2383509 – (CVE-2025-38464) CVE-2025-38464 kernel: tipc: Fix use-after-free in tipc_conn_close()

Bug 2383509 (CVE-2025-38464) - CVE-2025-38464 kernel: tipc: Fix use-after-free in tipc_conn_close()

Summary: CVE-2025-38464 kernel: tipc: Fix use-after-free in tipc_conn_close()

Keywords:
Status:	NEW
Alias:	CVE-2025-38464
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-25 16:03 UTC by OSIDB Bzimport
Modified:	2025-10-16 08:15 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:14985	None	None	None	2025-09-02 01:47:04 UTC
Red Hat Product Errata	RHSA-2025:15005	None	None	None	2025-09-02 06:45:28 UTC
Red Hat Product Errata	RHSA-2025:15008	None	None	None	2025-09-02 04:19:37 UTC
Red Hat Product Errata	RHSA-2025:15009	None	None	None	2025-09-02 02:53:06 UTC
Red Hat Product Errata	RHSA-2025:15011	None	None	None	2025-09-02 06:54:26 UTC
Red Hat Product Errata	RHSA-2025:15224	None	None	None	2025-09-04 01:15:32 UTC
Red Hat Product Errata	RHSA-2025:15227	None	None	None	2025-09-04 01:45:50 UTC
Red Hat Product Errata	RHSA-2025:15647	None	None	None	2025-09-10 16:13:52 UTC
Red Hat Product Errata	RHSA-2025:15656	None	None	None	2025-09-10 18:23:10 UTC
Red Hat Product Errata	RHSA-2025:15658	None	None	None	2025-09-10 20:42:29 UTC
Red Hat Product Errata	RHSA-2025:15660	None	None	None	2025-09-11 01:49:02 UTC
Red Hat Product Errata	RHSA-2025:15668	None	None	None	2025-09-11 06:36:11 UTC
Red Hat Product Errata	RHSA-2025:15670	None	None	None	2025-09-11 07:35:31 UTC

Description OSIDB Bzimport 2025-07-25 16:03:19 UTC

In the Linux kernel, the following vulnerability has been resolved:

tipc: Fix use-after-free in tipc_conn_close().

syzbot reported a null-ptr-deref in tipc_conn_close() during netns
dismantle. [0]

tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls
tipc_conn_close() for each tipc_conn.

The problem is that tipc_conn_close() is called after releasing the
IDR lock.

At the same time, there might be tipc_conn_recv_work() running and it
could call tipc_conn_close() for the same tipc_conn and release its
last ->kref.

Once we release the IDR lock in tipc_topsrv_stop(), there is no
guarantee that the tipc_conn is alive.

Let's hold the ref before releasing the lock and put the ref after
tipc_conn_close() in tipc_topsrv_stop().

[0]:
BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435

CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]
 tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722
 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153
 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 23:
 kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192
 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Freed by task 23:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]
 kref_put include/linux/kref.h:70 [inline]
 conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff888099305a00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 512-byte region [ffff888099305a00, ffff888099305c00)
The buggy address belongs to the page:
page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940
raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Comment 1 Jon Moroney 2025-07-25 17:01:31 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025072508-CVE-2025-38464-44a1@gregkh/T

Comment 3 errata-xmlrpc 2025-09-02 01:47:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:14985 https://access.redhat.com/errata/RHSA-2025:14985

Comment 4 errata-xmlrpc 2025-09-02 02:53:05 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15009 https://access.redhat.com/errata/RHSA-2025:15009

Comment 5 errata-xmlrpc 2025-09-02 04:19:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15008 https://access.redhat.com/errata/RHSA-2025:15008

Comment 6 errata-xmlrpc 2025-09-02 06:45:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:15005 https://access.redhat.com/errata/RHSA-2025:15005

Comment 7 errata-xmlrpc 2025-09-02 06:54:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:15011 https://access.redhat.com/errata/RHSA-2025:15011

Comment 8 errata-xmlrpc 2025-09-04 01:15:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:15224 https://access.redhat.com/errata/RHSA-2025:15224

Comment 9 errata-xmlrpc 2025-09-04 01:45:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:15227 https://access.redhat.com/errata/RHSA-2025:15227

Comment 10 errata-xmlrpc 2025-09-10 16:13:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:15647 https://access.redhat.com/errata/RHSA-2025:15647

Comment 11 errata-xmlrpc 2025-09-10 18:23:09 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:15656 https://access.redhat.com/errata/RHSA-2025:15656

Comment 12 errata-xmlrpc 2025-09-10 20:42:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:15658 https://access.redhat.com/errata/RHSA-2025:15658

Comment 13 errata-xmlrpc 2025-09-11 01:49:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:15660 https://access.redhat.com/errata/RHSA-2025:15660

Comment 14 errata-xmlrpc 2025-09-11 06:36:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:15668 https://access.redhat.com/errata/RHSA-2025:15668

Comment 15 errata-xmlrpc 2025-09-11 07:35:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:15670 https://access.redhat.com/errata/RHSA-2025:15670

Note You need to log in before you can comment on or make changes to this bug.