{"id":"CVE-2025-38022","summary":"RDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix \"KASAN: slab-use-after-free Read in ib_register_device\" problem\n\nCall Trace:\n\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0xc3/0x670 mm/kasan/report.c:521\n kasan_report+0xe0/0x110 mm/kasan/report.c:634\n strlen+0x93/0xa0 lib/string.c:420\n __fortify_strlen include/linux/fortify-string.h:268 [inline]\n get_kobj_path_length lib/kobject.c:118 [inline]\n kobject_get_path+0x3f/0x2a0 lib/kobject.c:158\n kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545\n ib_register_device drivers/infiniband/core/device.c:1472 [inline]\n ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393\n rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552\n rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225\n nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796\n rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195\n rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:712 [inline]\n __sock_sendmsg net/socket.c:727 [inline]\n ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566\n ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620\n __sys_sendmsg+0x16d/0x220 net/socket.c:2652\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThis problem is similar to the problem that the\ncommit 1d6a9e7449e2 (\"RDMA/core: Fix use-after-free when rename device name\")\nfixes.\n\nThe root cause is: the function ib_device_rename() renames the name with\nlock. But in the function kobject_uevent(), this name is accessed without\nlock protection at the same time.\n\nThe solution is to add the lock protection when this name is accessed in\nthe function kobject_uevent().","modified":"2026-04-02T12:47:43.979974Z","published":"2025-06-18T09:28:29.218Z","related":["ALSA-2026:1661","ALSA-2026:1662","ALSA-2026:1690","ALSA-2026:2212","SUSE-SU-2025:02249-1","SUSE-SU-2025:02254-1","SUSE-SU-2025:02307-1","SUSE-SU-2025:02333-1","SUSE-SU-2025:02335-1","SUSE-SU-2025:02538-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:20475-1","SUSE-SU-2025:20483-1","SUSE-SU-2025:20493-1","SUSE-SU-2025:20498-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38022.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/03df57ad4b0ff9c5a93ff981aba0b42578ad1571"},{"type":"WEB","url":"https://git.kernel.org/stable/c/10c7f1c647da3b77ef8827d974a97b6530b64df0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/17d3103325e891e10994e7aa28d12bea04dc2c60"},{"type":"WEB","url":"https://git.kernel.org/stable/c/312dae3499106ec8cb7442ada12be080aa9fbc3b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5629064f92f0de6d6b3572055cd35361c3ad953c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba467b6870ea2a73590478d9612d6ea1dcdd68b7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d0706bfd3ee40923c001c6827b786a309e2a8713"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38022.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38022"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"53e9a5a692f839780084ad81dbd461ec917f74f7"},{"fixed":"ba467b6870ea2a73590478d9612d6ea1dcdd68b7"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"779e0bf47632c609c59f527f9711ecd3214dccb0"},{"fixed":"5629064f92f0de6d6b3572055cd35361c3ad953c"},{"fixed":"312dae3499106ec8cb7442ada12be080aa9fbc3b"},{"fixed":"17d3103325e891e10994e7aa28d12bea04dc2c60"},{"fixed":"10c7f1c647da3b77ef8827d974a97b6530b64df0"},{"fixed":"03df57ad4b0ff9c5a93ff981aba0b42578ad1571"},{"fixed":"d0706bfd3ee40923c001c6827b786a309e2a8713"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"9b54e31fd08f8d8db507d021c88e760d5f8e4640"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38022.json"}}],"schema_version":"1.7.5"}