Description
In the Linux kernel, the following vulnerability has been resolved: gtp: Fix use-after-free in __gtp_encap_destroy(). syzkaller reported use-after-free in __gtp_encap_destroy(). [0] It shows the same process freed sk and touched it illegally. Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, but release_sock() is called after sock_put() releases the last refcnt. [0]: BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0xcc/0x620 mm/kasan/report.c:462 kasan_report+0xb2/0xe0 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:186 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] release_sock+0x1f/0x1a0 net/core/sock.c:3526 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 </TASK> Allocated by task 1483: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x ---truncated---
Product status
01f3c64e405ab3d25887d080a103ad76f30661d2 (git) before d38039697184aacff1cf576e14ef583112fdefef
e117a04133c673cc54292e12086a8177cd9bd4a4 (git) before e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6
e198987e7dd7d3645a53875151cd6f8fc425b706 (git) before 9c9662e2512b5e4ee7b03108802c5222e0fa77a4
e198987e7dd7d3645a53875151cd6f8fc425b706 (git) before bccc7ace12e69dee4684a3bb4b69737972e570d6
e198987e7dd7d3645a53875151cd6f8fc425b706 (git) before ebd6d2077a083329110695a996c00e8ca94bc640
e198987e7dd7d3645a53875151cd6f8fc425b706 (git) before 17d6b6354f0025b7c10a56da783fd0cbb3819c5d
e198987e7dd7d3645a53875151cd6f8fc425b706 (git) before dae6095bdb24f537b4798ffd9201515b97bac94e
e198987e7dd7d3645a53875151cd6f8fc425b706 (git) before 58fa341327fdb4bdf92597fd8796a9abc8d20ea3
e198987e7dd7d3645a53875151cd6f8fc425b706 (git) before ce3aee7114c575fab32a5e9e939d4bbb3dcca79f
bf75202df8e473d4ee914894542f213158066d8b (git)
76357f65f18f180f44ccbbbf713461881d0ab219 (git)
5.3
Any version before 5.3
4.14.322 (semver)
4.19.291 (semver)
5.4.251 (semver)
5.10.188 (semver)
5.15.121 (semver)
6.1.39 (semver)
6.3.13 (semver)
6.4.4 (semver)
6.5 (original_commit_for_fix)
References
git.kernel.org/...c/d38039697184aacff1cf576e14ef583112fdefef
git.kernel.org/...c/e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6
git.kernel.org/...c/9c9662e2512b5e4ee7b03108802c5222e0fa77a4
git.kernel.org/...c/bccc7ace12e69dee4684a3bb4b69737972e570d6
git.kernel.org/...c/ebd6d2077a083329110695a996c00e8ca94bc640
git.kernel.org/...c/17d6b6354f0025b7c10a56da783fd0cbb3819c5d
git.kernel.org/...c/dae6095bdb24f537b4798ffd9201515b97bac94e
git.kernel.org/...c/58fa341327fdb4bdf92597fd8796a9abc8d20ea3
git.kernel.org/...c/ce3aee7114c575fab32a5e9e939d4bbb3dcca79f
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
