ACK: [SRU][N][PATCH 0/1] CVE-2025-40297
Cengiz Can
cengiz.can at canonical.com
Wed Jan 7 12:39:14 UTC 2026
On Tue, 06 Jan 2026 at 17:54:38 -0800, Tim Whisonant
<tim.whisonant at canonical.com> wrote:
> SRU Justification:
>
> [Impact]
>
> net: bridge: fix use-after-free due to MST port state bypass
>
> syzbot reported[1] a use-after-free when deleting an expired fdb. It
> is due to a race condition between learning still happening and a
> port being deleted, after all its fdbs have been flushed. The port's
> state has been toggled to disabled so no learning should happen at
> that time, but if we have MST enabled, it will bypass the port's
> state, that together with VLAN filtering disabled can lead to fdb
> learning at a time when it shouldn't happen while the port is being
> deleted. VLAN filtering must be disabled because we flush the port
> VLANs when it's being deleted which will stop learning. This fix adds
> a check for the port's vlan group which is initialized to NULL when
> the port is getting deleted, that avoids the port state bypass. When
> MST is enabled there would be a minimal new overhead in the fast-path
> because the port's vlan group pointer is cache-hot.
>
> [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be
>
> [Fix]
>
> Questing: fixed separately
> Noble: cherry picked from upstream
> Jammy: not affected
> Focal: not affected
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The changes prevent a use-after-free scenario in the networking
> stack, specifically when deleting a forwarding database when
> in Multiple Spanning Tree mode. Issues might appear as errors
> in the port learning and fowarding state machine.
>
> Nikolay Aleksandrov (1):
> net: bridge: fix use-after-free due to MST port state bypass
>
> net/bridge/br_forward.c | 2 +-
> net/bridge/br_input.c | 4 ++--
> net/bridge/br_private.h | 8 +++++---
> 3 files changed, 8 insertions(+), 6 deletions(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Cengiz Can <cengiz.can at canonical.com>
More information about the kernel-team
mailing list