APPLIED: [SRU][J/N/P/Q][PATCH 0/1] CVE-2025-40018

Stefan Bader stefan.bader at canonical.com
Fri Oct 31 10:24:23 UTC 2025 

On 28/10/2025 22:02, Tim Whisonant wrote:
> SRU Justification:
> 
> [Impact]
> 
> ipvs: Defer ip_vs_ftp unregister during netns cleanup
> 
> On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp
> before connections with valid cp->app pointers are flushed, leading to a
> use-after-free.
> 
> Fix this by introducing a global `exiting_module` flag, set to true in
> ip_vs_ftp_exit() before unregistering the pernet subsystem. In
> __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns
> cleanup (when exiting_module is false) and defer it to
> __ip_vs_cleanup_batch(), which unregisters all apps after all connections
> are flushed. If called during module exit, unregister ip_vs_ftp
> immediately.
> 
> [Fix]
> 
> Questing: applied Jammy patch
> Plucky:   applied Jammy patch
> Noble:    applied Jammy patch
> Jammy:    cherry picked from upstream
> Focal:    submitted separately
> Bionic:   patch sent to ESM ML
> Xenial:   patch sent to ESM ML
> Trusty:   out of scope (medium CVE)
> 
> [Test Plan]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The changes affect the IP Virtual Server for FTP, specifically
> the cleanup path, to address a use after free. Problems might
> manifest as mis-managed session cleanup, memory leaks, or
> UAF scenarios.
> 
> Slavin Liu (1):
>    ipvs: Defer ip_vs_ftp unregister during netns cleanup
> 
>   net/netfilter/ipvs/ip_vs_ftp.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 


Applied to questing,plucky,noble,jammy:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251031/97d0a6f3/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251031/97d0a6f3/attachment-0001.sig>

More information about the kernel-team mailing list