{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38129","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.987Z","datePublished":"2025-07-03T08:35:33.728Z","dateUpdated":"2026-05-11T21:21:49.361Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:21:49.361Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n  ptr_ring_produce\n    spin_lock(&r->producer_lock);\n    WRITE_ONCE(r->queue[r->producer++], ptr)\n      //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t  page_pool_scrub\n\t\t\t\t    page_pool_empty_ring\n\t\t\t\t      ptr_ring_consume\n\t\t\t\t      page_pool_return_page  //release all page\n\t\t\t\t  __page_pool_destroy\n\t\t\t\t     free_percpu(pool->recycle_stats);\n\t\t\t\t     free(pool) //free\n\n     spin_unlock(&r->producer_lock); //pool->ring uaf read\n  recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/page_pool.c"],"versions":[{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8","status":"affected","versionType":"git"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"1a8c0b61d4cb55c5440583ec9e7f86a730369e32","status":"affected","versionType":"git"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"4914c0a166540e534a0c1d43affd329d95fb56fd","status":"affected","versionType":"git"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"e869a85acc2e60dc554579b910826a4919d8cd98","status":"affected","versionType":"git"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"4ab8c0f8905c9c4d05e7f437e65a9a365573ff02","status":"affected","versionType":"git"},{"version":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f","lessThan":"271683bb2cf32e5126c592b5d5e6a756fa374fd9","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/core/page_pool.c"],"versions":[{"version":"4.18","status":"affected"},{"version":"0","lessThan":"4.18","status":"unaffected","versionType":"semver"},{"version":"5.15.198","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.160","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.34","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.3","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"5.15.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.1.160"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.6.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.12.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.15.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.18","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8"},{"url":"https://git.kernel.org/stable/c/1a8c0b61d4cb55c5440583ec9e7f86a730369e32"},{"url":"https://git.kernel.org/stable/c/4914c0a166540e534a0c1d43affd329d95fb56fd"},{"url":"https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98"},{"url":"https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02"},{"url":"https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9"}],"title":"page_pool: Fix use-after-free in page_pool_recycle_in_ring","x_generator":{"engine":"bippy-1.2.0"}}}}