CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-21865: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().

Description

In the Linux kernel, the following vulnerability has been resolved:

gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().

Brad Spengler reported the list_del() corruption splat in
gtp_net_exit_batch_rtnl(). [0]

Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns
dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()
to destroy devices in each netns as done in geneve and ip tunnels.

However, this could trigger ->dellink() twice for the same device during
->exit_batch_rtnl().

Say we have two netns A & B and gtp device B that resides in netns B but
whose UDP socket is in netns A.

1. cleanup_net() processes netns A and then B.

2. gtp_net_exit_batch_rtnl() finds the device B while iterating
netns A's gn->gtp_dev_list and calls ->dellink().

[ device B is not yet unlinked from netns B
as unregister_netdevice_many() has not been called. ]

3. gtp_net_exit_batch_rtnl() finds the device B while iterating
netns B's for_each_netdev() and calls ->dellink().

gtp_dellink() cleans up the device's hash table, unlinks the dev from
gn->gtp_dev_list, and calls unregister_netdevice_queue().

Basically, calling gtp_dellink() multiple times is fine unless
CONFIG_DEBUG_LIST is enabled.

Let's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and
delegate the destruction to default_device_exit_batch() as done
in bareudp.

[0]:
list_del corruption, ffff8880aaa62c00->next (autoslab_size_M_dev_P_net_core_dev_11127_...

Classification

CVE ID: CVE-2025-21865

Affected Products

Vendor: Linux, Linux

Product: Linux, Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 1.78% (scored less or equal to compared to others)

EPSS Date: 2025-04-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-21865
https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66
https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b
https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595
https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af
https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d

Timeline

2025-03-12 10:40:26 UTC
CVE

gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().