ACK: Re: [SRU][J/N/P/Q][PATCH 0/1] CVE-2025-40018
Paolo Pisati
paolo.pisati at canonical.com
Wed Oct 29 16:37:34 UTC 2025
On Tue, Oct 28, 2025 at 02:02:11PM -0700, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> ipvs: Defer ip_vs_ftp unregister during netns cleanup
>
> On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp
> before connections with valid cp->app pointers are flushed, leading to a
> use-after-free.
>
> Fix this by introducing a global `exiting_module` flag, set to true in
> ip_vs_ftp_exit() before unregistering the pernet subsystem. In
> __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns
> cleanup (when exiting_module is false) and defer it to
> __ip_vs_cleanup_batch(), which unregisters all apps after all connections
> are flushed. If called during module exit, unregister ip_vs_ftp
> immediately.
>
> [Fix]
>
> Questing: applied Jammy patch
> Plucky: applied Jammy patch
> Noble: applied Jammy patch
> Jammy: cherry picked from upstream
> Focal: submitted separately
> Bionic: patch sent to ESM ML
> Xenial: patch sent to ESM ML
> Trusty: out of scope (medium CVE)
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The changes affect the IP Virtual Server for FTP, specifically
> the cleanup path, to address a use after free. Problems might
> manifest as mis-managed session cleanup, memory leaks, or
> UAF scenarios.
>
> Slavin Liu (1):
> ipvs: Defer ip_vs_ftp unregister during netns cleanup
>
> net/netfilter/ipvs/ip_vs_ftp.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Paolo Pisati <paolo.pisati at canonical.com>
--
bye,
p.
More information about the kernel-team
mailing list