CVE-2025-23154

Description

In the Linux kernel, the following vulnerability has been resolved: io_uring/net: fix io_req_post_cqe abuse by send bundle [ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at io_uring/io_uring.c:872 io_req_post_cqe+0x12e/0x4f0 [ 114.991597][ T5313] RIP: 0010:io_req_post_cqe+0x12e/0x4f0 [ 115.001880][ T5313] Call Trace: [ 115.002222][ T5313] <TASK> [ 115.007813][ T5313] io_send+0x4fe/0x10f0 [ 115.009317][ T5313] io_issue_sqe+0x1a6/0x1740 [ 115.012094][ T5313] io_wq_submit_work+0x38b/0xed0 [ 115.013223][ T5313] io_worker_handle_work+0x62a/0x1600 [ 115.013876][ T5313] io_wq_worker+0x34f/0xdf0 As the comment states, io_req_post_cqe() should only be used by multishot requests, i.e. REQ_F_APOLL_MULTISHOT, which bundled sends are not. Add a flag signifying whether a request wants to post multiple CQEs. Eventually REQ_F_APOLL_MULTISHOT should imply the new flag, but that's left out for simplicity.

Reserved 2025-01-11 | Published 2025-05-01 | Updated 2025-05-26 | Assigner Linux

Product status

Default status
unaffected

a05d1f625c7aa681d8816bc0f10089289ad07aad before b7c6d081c19a5e11bbd77bb97a62cff2b6b21cb5
affected

a05d1f625c7aa681d8816bc0f10089289ad07aad before 7888c9fc0b2d3636f2e821ed1ad3c6920fa8e378
affected

a05d1f625c7aa681d8816bc0f10089289ad07aad before 9aa804e6b9696998308095fb9d335046a71550f1
affected

a05d1f625c7aa681d8816bc0f10089289ad07aad before 6889ae1b4df1579bcdffef023e2ea9a982565dff
affected

Default status
affected

6.10
affected

Any version before 6.10
unaffected

6.12.24
unaffected

6.13.12
unaffected

6.14.3
unaffected

6.15
unaffected

References

git.kernel.org/...c/b7c6d081c19a5e11bbd77bb97a62cff2b6b21cb5

git.kernel.org/...c/7888c9fc0b2d3636f2e821ed1ad3c6920fa8e378

git.kernel.org/...c/9aa804e6b9696998308095fb9d335046a71550f1

git.kernel.org/...c/6889ae1b4df1579bcdffef023e2ea9a982565dff

cve.org (CVE-2025-23154)

nvd.nist.gov (CVE-2025-23154)

Download JSON