{"id":"CVE-2025-21865","summary":"gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().\n\nBrad Spengler reported the list_del() corruption splat in\ngtp_net_exit_batch_rtnl(). [0]\n\nCommit eb28fd76c0a0 (\"gtp: Destroy device along with udp socket's netns\ndismantle.\") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl()\nto destroy devices in each netns as done in geneve and ip tunnels.\n\nHowever, this could trigger -\u003edellink() twice for the same device during\n-\u003eexit_batch_rtnl().\n\nSay we have two netns A & B and gtp device B that resides in netns B but\nwhose UDP socket is in netns A.\n\n  1. cleanup_net() processes netns A and then B.\n\n  2. gtp_net_exit_batch_rtnl() finds the device B while iterating\n     netns A's gn-\u003egtp_dev_list and calls -\u003edellink().\n\n  [ device B is not yet unlinked from netns B\n    as unregister_netdevice_many() has not been called. ]\n\n  3. gtp_net_exit_batch_rtnl() finds the device B while iterating\n     netns B's for_each_netdev() and calls -\u003edellink().\n\ngtp_dellink() cleans up the device's hash table, unlinks the dev from\ngn-\u003egtp_dev_list, and calls unregister_netdevice_queue().\n\nBasically, calling gtp_dellink() multiple times is fine unless\nCONFIG_DEBUG_LIST is enabled.\n\nLet's remove for_each_netdev() in gtp_net_exit_batch_rtnl() and\ndelegate the destruction to default_device_exit_batch() as done\nin bareudp.\n\n[0]:\nlist_del corruption, ffff8880aaa62c00-\u003enext (autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]) is LIST_POISON1 (ffffffffffffff02) (prev is 0xffffffffffffff04)\nkernel BUG at lib/list_debug.c:58!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 UID: 0 PID: 1804 Comm: kworker/u8:7 Tainted: G                T   6.12.13-grsec-full-20250211091339 #1\nTainted: [T]=RANDSTRUCT\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: netns cleanup_net\nRIP: 0010:[\u003cffffffff84947381\u003e] __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nCode: c2 76 91 31 c0 e8 9f b1 f7 fc 0f 0b 4d 89 f0 48 c7 c1 02 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 e0 c2 76 91 31 c0 e8 7f b1 f7 fc \u003c0f\u003e 0b 4d 89 e8 48 c7 c1 04 ff ff ff 48 89 ea 48 89 ee 48 c7 c7 60\nRSP: 0018:fffffe8040b4fbd0 EFLAGS: 00010283\nRAX: 00000000000000cc RBX: dffffc0000000000 RCX: ffffffff818c4054\nRDX: ffffffff84947381 RSI: ffffffff818d1512 RDI: 0000000000000000\nRBP: ffff8880aaa62c00 R08: 0000000000000001 R09: fffffbd008169f32\nR10: fffffe8040b4f997 R11: 0000000000000001 R12: a1988d84f24943e4\nR13: ffffffffffffff02 R14: ffffffffffffff04 R15: ffff8880aaa62c08\nRBX: kasan shadow of 0x0\nRCX: __wake_up_klogd.part.0+0x74/0xe0 kernel/printk/printk.c:4554\nRDX: __list_del_entry_valid_or_report+0x141/0x200 lib/list_debug.c:58\nRSI: vprintk+0x72/0x100 kernel/printk/printk_safe.c:71\nRBP: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc00/0x1000 [slab object]\nRSP: process kstack fffffe8040b4fbd0+0x7bd0/0x8000 [kworker/u8:7+netns 1804 ]\nR09: kasan shadow of process kstack fffffe8040b4f990+0x7990/0x8000 [kworker/u8:7+netns 1804 ]\nR10: process kstack fffffe8040b4f997+0x7997/0x8000 [kworker/u8:7+netns 1804 ]\nR15: autoslab_size_M_dev_P_net_core_dev_11127_8_1328_8_S_4096_A_64_n_139+0xc08/0x1000 [slab object]\nFS:  0000000000000000(0000) GS:ffff888116000000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000748f5372c000 CR3: 0000000015408000 CR4: 00000000003406f0 shadow CR4: 00000000003406f0\nStack:\n 0000000000000000 ffffffff8a0c35e7 ffffffff8a0c3603 ffff8880aaa62c00\n ffff8880aaa62c00 0000000000000004 ffff88811145311c 0000000000000005\n 0000000000000001 ffff8880aaa62000 fffffe8040b4fd40 ffffffff8a0c360d\nCall Trace:\n \u003cTASK\u003e\n [\u003cffffffff8a0c360d\u003e] __list_del_entry_valid include/linux/list.h:131 [inline] fffffe8040b4fc28\n [\u003cffffffff8a0c360d\u003e] __list_del_entry include/linux/list.h:248 [inline] fffffe8040b4fc28\n [\u003cffffffff8a0c360d\u003e] list_del include/linux/list.h:262 [inl\n---truncated---","modified":"2026-04-16T04:32:25.474237916Z","published":"2025-03-12T09:42:21.901Z","related":["SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:1177-1","SUSE-SU-2025:1178-1","SUSE-SU-2025:1180-1","SUSE-SU-2025:1293-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1","USN-7521-2"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21865.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/33eb925c0c26e86ca540a08254806512bf911f22"},{"type":"WEB","url":"https://git.kernel.org/stable/c/37e7644b961600ef0beb01d3970c3034a62913af"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4ccacf86491d33d2486b62d4d44864d7101b299d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7f86fb07db65a470d0c11f79da551bd9466357dc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9d03e7e37187ae140e716377599493987fb20c5b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b70fa591b066d52b141fc430ffdee35b6cc87a66"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cb15bb1bde0ba97cbbed9508e45210dcafec3657"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff81b14010362f6188ca26fec22ff05e4da45595"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21865.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21865"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c986380c1d5274c4d5e935addc807d6791cc23eb"},{"fixed":"7f86fb07db65a470d0c11f79da551bd9466357dc"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5f1678346109ff3a6d229d33437fcba3cce9209d"},{"fixed":"33eb925c0c26e86ca540a08254806512bf911f22"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"036f8d814a2cd11ee8ef62b8f3e7ce5dec0ee4f3"},{"fixed":"cb15bb1bde0ba97cbbed9508e45210dcafec3657"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"efec287cbac92ac6ee8312a89221854760e13b34"},{"fixed":"b70fa591b066d52b141fc430ffdee35b6cc87a66"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bb11f992f5a475bc68ef959f17a55306f0328495"},{"fixed":"9d03e7e37187ae140e716377599493987fb20c5b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"86f73d4ab2f27deeff22ba9336ad103d94f12ac7"},{"fixed":"ff81b14010362f6188ca26fec22ff05e4da45595"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"eb28fd76c0a08a47b470677c6cef9dd1c60e92d1"},{"fixed":"37e7644b961600ef0beb01d3970c3034a62913af"},{"fixed":"4ccacf86491d33d2486b62d4d44864d7101b299d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21865.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}