{"id":"CVE-2025-38129","summary":"page_pool: Fix use-after-free in page_pool_recycle_in_ring","details":"In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: Fix use-after-free in page_pool_recycle_in_ring\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n  ptr_ring_produce\n    spin_lock(&r-\u003eproducer_lock);\n    WRITE_ONCE(r-\u003equeue[r-\u003eproducer++], ptr)\n      //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t  page_pool_scrub\n\t\t\t\t    page_pool_empty_ring\n\t\t\t\t      ptr_ring_consume\n\t\t\t\t      page_pool_return_page  //release all page\n\t\t\t\t  __page_pool_destroy\n\t\t\t\t     free_percpu(pool-\u003erecycle_stats);\n\t\t\t\t     free(pool) //free\n\n     spin_unlock(&r-\u003eproducer_lock); //pool-\u003ering uaf read\n  recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning.","modified":"2026-04-02T12:47:49.599632Z","published":"2025-07-03T08:35:33.728Z","related":["ALSA-2026:3066","ALSA-2026:3083","ALSA-2026:3110","SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0474-1","SUSE-SU-2026:0475-1","SUSE-SU-2026:0495-1","SUSE-SU-2026:0496-1","SUSE-SU-2026:0617-1","SUSE-SU-2026:0674-1","SUSE-SU-2026:0711-1","SUSE-SU-2026:0713-1","SUSE-SU-2026:0725-1","SUSE-SU-2026:0727-1","SUSE-SU-2026:0731-1","SUSE-SU-2026:0734-1","SUSE-SU-2026:0736-1","SUSE-SU-2026:0745-1","SUSE-SU-2026:0748-1","SUSE-SU-2026:20672-1","SUSE-SU-2026:20673-1","SUSE-SU-2026:20674-1","SUSE-SU-2026:20678-1","SUSE-SU-2026:20679-1","SUSE-SU-2026:20680-1","SUSE-SU-2026:20681-1","SUSE-SU-2026:20699-1","SUSE-SU-2026:20700-1","SUSE-SU-2026:20701-1","SUSE-SU-2026:20702-1","SUSE-SU-2026:20703-1","SUSE-SU-2026:20704-1","SUSE-SU-2026:20705-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38129.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1a8c0b61d4cb55c5440583ec9e7f86a730369e32"},{"type":"WEB","url":"https://git.kernel.org/stable/c/271683bb2cf32e5126c592b5d5e6a756fa374fd9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4914c0a166540e534a0c1d43affd329d95fb56fd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4ab8c0f8905c9c4d05e7f437e65a9a365573ff02"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e869a85acc2e60dc554579b910826a4919d8cd98"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38129.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38129"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ff7d6b27f894f1469dc51ccb828b7363ccd9799f"},{"fixed":"d69f28ef7cdafdcf37ee310f38b1399e7d05f9a8"},{"fixed":"1a8c0b61d4cb55c5440583ec9e7f86a730369e32"},{"fixed":"4914c0a166540e534a0c1d43affd329d95fb56fd"},{"fixed":"e869a85acc2e60dc554579b910826a4919d8cd98"},{"fixed":"4ab8c0f8905c9c4d05e7f437e65a9a365573ff02"},{"fixed":"271683bb2cf32e5126c592b5d5e6a756fa374fd9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38129.json"}}],"schema_version":"1.7.5"}