CVE-2025-21727
Description
In the Linux kernel, the following vulnerability has been resolved:
padata: fix UAF in padata_reorder
A bug was found when run ltp test:
BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206
CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:
dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0
If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01).
This can be explained as bellow:
pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF }
In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF.
As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish.
[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
142- osv-coords139 versionspkg:deb/ubuntu/linux-aws@6.11.0-1014.15?arch=source&distro=oracularpkg:rpm/almalinux/bpftoolpkg:rpm/almalinux/kernelpkg:rpm/almalinux/kernel-64kpkg:rpm/almalinux/kernel-64k-corepkg:rpm/almalinux/kernel-64k-debugpkg:rpm/almalinux/kernel-64k-debug-corepkg:rpm/almalinux/kernel-64k-debug-develpkg:rpm/almalinux/kernel-64k-debug-devel-matchedpkg:rpm/almalinux/kernel-64k-debug-modulespkg:rpm/almalinux/kernel-64k-debug-modules-corepkg:rpm/almalinux/kernel-64k-debug-modules-extrapkg:rpm/almalinux/kernel-64k-develpkg:rpm/almalinux/kernel-64k-devel-matchedpkg:rpm/almalinux/kernel-64k-modulespkg:rpm/almalinux/kernel-64k-modules-corepkg:rpm/almalinux/kernel-64k-modules-extrapkg:rpm/almalinux/kernel-abi-stablelistspkg:rpm/almalinux/kernel-corepkg:rpm/almalinux/kernel-cross-headerspkg:rpm/almalinux/kernel-debugpkg:rpm/almalinux/kernel-debug-corepkg:rpm/almalinux/kernel-debug-develpkg:rpm/almalinux/kernel-debug-devel-matchedpkg:rpm/almalinux/kernel-debug-modulespkg:rpm/almalinux/kernel-debug-modules-corepkg:rpm/almalinux/kernel-debug-modules-extrapkg:rpm/almalinux/kernel-debug-uki-virtpkg:rpm/almalinux/kernel-develpkg:rpm/almalinux/kernel-devel-matchedpkg:rpm/almalinux/kernel-docpkg:rpm/almalinux/kernel-headerspkg:rpm/almalinux/kernel-modulespkg:rpm/almalinux/kernel-modules-corepkg:rpm/almalinux/kernel-modules-extrapkg:rpm/almalinux/kernel-rtpkg:rpm/almalinux/kernel-rt-64kpkg:rpm/almalinux/kernel-rt-64k-corepkg:rpm/almalinux/kernel-rt-64k-debugpkg:rpm/almalinux/kernel-rt-64k-debug-corepkg:rpm/almalinux/kernel-rt-64k-debug-develpkg:rpm/almalinux/kernel-rt-64k-debug-modulespkg:rpm/almalinux/kernel-rt-64k-debug-modules-corepkg:rpm/almalinux/kernel-rt-64k-debug-modules-extrapkg:rpm/almalinux/kernel-rt-64k-develpkg:rpm/almalinux/kernel-rt-64k-modulespkg:rpm/almalinux/kernel-rt-64k-modules-corepkg:rpm/almalinux/kernel-rt-64k-modules-extrapkg:rpm/almalinux/kernel-rt-corepkg:rpm/almalinux/kernel-rt-debugpkg:rpm/almalinux/kernel-rt-debug-corepkg:rpm/almalinux/kernel-rt-debug-develpkg:rpm/almalinux/kernel-rt-debug-kvmpkg:rpm/almalinux/kernel-rt-debug-modulespkg:rpm/almalinux/kernel-rt-debug-modules-corepkg:rpm/almalinux/kernel-rt-debug-modules-extrapkg:rpm/almalinux/kernel-rt-develpkg:rpm/almalinux/kernel-rt-kvmpkg:rpm/almalinux/kernel-rt-modulespkg:rpm/almalinux/kernel-rt-modules-corepkg:rpm/almalinux/kernel-rt-modules-extrapkg:rpm/almalinux/kernel-toolspkg:rpm/almalinux/kernel-tools-libspkg:rpm/almalinux/kernel-tools-libs-develpkg:rpm/almalinux/kernel-uki-virtpkg:rpm/almalinux/kernel-uki-virt-addonspkg:rpm/almalinux/kernel-zfcpdumppkg:rpm/almalinux/kernel-zfcpdump-corepkg:rpm/almalinux/kernel-zfcpdump-develpkg:rpm/almalinux/kernel-zfcpdump-devel-matchedpkg:rpm/almalinux/kernel-zfcpdump-modulespkg:rpm/almalinux/kernel-zfcpdump-modules-corepkg:rpm/almalinux/kernel-zfcpdump-modules-extrapkg:rpm/almalinux/libperfpkg:rpm/almalinux/perfpkg:rpm/almalinux/python3-perfpkg:rpm/almalinux/rtlapkg:rpm/almalinux/rvpkg:rpm/opensuse/dtb-aarch64&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-64kb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-azure&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-debug&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-default-base&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-default&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-docs&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-kvmsmall&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-obs-build&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-obs-qa&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-rt_debug&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-rt&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-source-azure&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-source-rt&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-syms-azure&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-syms&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-syms-rt&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/kernel-zfcpdump&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/kernel-64kb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/kernel-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/kernel-coco_debug&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Confidential%20Computing%20Technical%20Preview%2015%20SP6pkg:rpm/suse/kernel-coco&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Confidential%20Computing%20Technical%20Preview%2015%20SP6pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default-base&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-docs&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-kvmsmall&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-MICRO-6-0-RT_Update_6&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-livepatch-MICRO-6-0-RT_Update_6&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-MICRO-6-0_Update_6&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-livepatch-MICRO-6-0_Update_6&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-livepatch-SLE15-SP6-RT_Update_10&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-livepatch-SLE15-SP6_Update_10&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2015%20SP6pkg:rpm/suse/kernel-obs-build&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/kernel-rt_debug&distro=SUSE%20Real%20Time%20Module%2015%20SP6pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP6pkg:rpm/suse/kernel-source-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/kernel-source-coco&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Confidential%20Computing%20Technical%20Preview%2015%20SP6pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/kernel-source-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP6pkg:rpm/suse/kernel-syms-azure&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP6pkg:rpm/suse/kernel-syms-coco&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Confidential%20Computing%20Technical%20Preview%2015%20SP6pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/kernel-syms-rt&distro=SUSE%20Real%20Time%20Module%2015%20SP6pkg:rpm/suse/kernel-zfcpdump&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6
< 6.11.0-1014.15+ 138 more
- (no CPE)range: < 6.11.0-1014.15
- (no CPE)range: < 4.18.0-553.69.1.el8_10
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 6.12.0-55.25.1.el10_0
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 6.12.0-55.25.1.el10_0
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 5.14.0-570.32.1.el9_6
- (no CPE)range: < 6.4.0-150600.23.47.1
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.8.34.2
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.23.47.2.150600.12.20.2
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.23.47.1
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.23.47.1
- (no CPE)range: < 6.4.0-150600.23.47.1
- (no CPE)range: < 6.4.0-150600.10.34.1
- (no CPE)range: < 6.4.0-150600.10.34.1
- (no CPE)range: < 6.4.0-150600.8.34.2
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.10.34.1
- (no CPE)range: < 6.4.0-150600.8.34.1
- (no CPE)range: < 6.4.0-150600.23.47.1
- (no CPE)range: < 6.4.0-150600.10.34.1
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.8.34.2
- (no CPE)range: < 6.4.0-15061.21.coco15sp6.1
- (no CPE)range: < 6.4.0-15061.21.coco15sp6.1
- (no CPE)range: < 6.4.0-150600.23.47.2.150600.12.20.2
- (no CPE)range: < 6.4.0-28.1.21.6
- (no CPE)range: < 6.4.0-28.1.21.6
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 6.4.0-150600.23.47.1
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 1-3.1
- (no CPE)range: < 1-3.1
- (no CPE)range: < 1-3.1
- (no CPE)range: < 1-3.1
- (no CPE)range: < 1-150600.1.5.1
- (no CPE)range: < 1-150600.13.5.1
- (no CPE)range: < 6.4.0-150600.23.47.1
- (no CPE)range: < 6.4.0-150600.10.34.1
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 6.4.0-150600.10.34.1
- (no CPE)range: < 6.4.0-150600.8.34.2
- (no CPE)range: < 6.4.0-15061.21.coco15sp6.1
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-150600.23.47.2
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 6.4.0-28.1
- (no CPE)range: < 6.4.0-150600.10.34.1
- (no CPE)range: < 6.4.0-150600.8.34.1
- (no CPE)range: < 6.4.0-15061.21.coco15sp6.1
- (no CPE)range: < 6.4.0-150600.23.47.1
- (no CPE)range: < 6.4.0-150600.10.34.1
- (no CPE)range: < 6.4.0-150600.23.47.2
Patches
Vulnerability mechanics
References
10- git.kernel.org/stable/c/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccdnvdPatch
- git.kernel.org/stable/c/573ac9c70bf7885dc85d82fa44550581bfc3b738nvdPatch
- git.kernel.org/stable/c/80231f069240d52e98b6a317456c67b2eafd0781nvdPatch
- git.kernel.org/stable/c/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7denvdPatch
- git.kernel.org/stable/c/e01780ea4661172734118d2a5f41bc9720765668nvdPatch
- git.kernel.org/stable/c/f3e0b9f790f8e8065d59e67b565a83154d9f3079nvdPatch
- git.kernel.org/stable/c/f78170bee51469734b1a306a74fc5f777bb22ba6nvdPatch
- cert-portal.siemens.com/productcert/html/ssa-265688.htmlnvd
- lists.debian.org/debian-lts-announce/2025/03/msg00028.htmlnvd
- lists.debian.org/debian-lts-announce/2025/05/msg00030.htmlnvd
News mentions
0No linked articles in our index yet.