)]}'
{
  "commit": "06ffda9ccf58dca3b8a10277998fdd686fd701f4",
  "tree": "8520395ba3a9a7d18cd881a4cb631f1fdf98ce2e",
  "parents": [
    "75692a942aaaea90b729f2e7c9655bb2eeb50902"
  ],
  "author": {
    "name": "Dong Chenchen",
    "email": "dongchenchen2@huawei.com",
    "time": "Wed Dec 10 12:15:55 2025 +0000"
  },
  "committer": {
    "name": "Daniel Velasquez",
    "email": "rdvelasquez@google.com",
    "time": "Thu Jan 15 23:37:43 2026 -0800"
  },
  "message": "page_pool: Fix use-after-free in page_pool_recycle_in_ring\n\n[ Upstream commit 271683bb2cf32e5126c592b5d5e6a756fa374fd9 ]\n\nsyzbot reported a uaf in page_pool_recycle_in_ring:\n\nBUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\nRead of size 8 at addr ffff8880286045a0 by task syz.0.284/6943\n\nCPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:489\n kasan_report+0x143/0x180 mm/kasan/report.c:602\n lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]\n _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]\n page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]\n page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826\n page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]\n page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]\n napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036\n skb_pp_recycle net/core/skbuff.c:1047 [inline]\n skb_free_head net/core/skbuff.c:1094 [inline]\n skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125\n skb_release_all net/core/skbuff.c:1190 [inline]\n __kfree_skb net/core/skbuff.c:1204 [inline]\n sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242\n kfree_skb_reason include/linux/skbuff.h:1263 [inline]\n __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]\n\nroot cause is:\n\npage_pool_recycle_in_ring\n  ptr_ring_produce\n    spin_lock(\u0026r-\u003eproducer_lock);\n    WRITE_ONCE(r-\u003equeue[r-\u003eproducer++], ptr)\n      //recycle last page to pool\n\t\t\t\tpage_pool_release\n\t\t\t\t  page_pool_scrub\n\t\t\t\t    page_pool_empty_ring\n\t\t\t\t      ptr_ring_consume\n\t\t\t\t      page_pool_return_page  //release all page\n\t\t\t\t  __page_pool_destroy\n\t\t\t\t     free_percpu(pool-\u003erecycle_stats);\n\t\t\t\t     free(pool) //free\n\n     spin_unlock(\u0026r-\u003eproducer_lock); //pool-\u003ering uaf read\n  recycle_stat_inc(pool, ring);\n\npage_pool can be free while page pool recycle the last page in ring.\nAdd producer-lock barrier to page_pool_release to prevent the page\npool from being free before all pages have been recycled.\n\nrecycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not\nenabled, which will trigger Wempty-body build warning. Add definition\nfor pool stat macro to fix warning.\n\nBUG\u003db/462681411\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2025-38129 in the Linux kernel.\n\ncos-patch: security-high\nSuggested-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\nLink: https://lore.kernel.org/netdev/20250513083123.3514193-1-dongchenchen2@huawei.com\nFixes: ff7d6b27f894 (\"page_pool: refurbish version of page_pool code\")\nReported-by: syzbot+204a4382fcb3311f3858@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid\u003d204a4382fcb3311f3858\nChange-Id: I1e021f6cdeb3852ec3bc499c4050a04b559c0b74\nSigned-off-by: Dong Chenchen \u003cdongchenchen2@huawei.com\u003e\nReviewed-by: Toke Høiland-Jørgensen \u003ctoke@redhat.com\u003e\nReviewed-by: Mina Almasry \u003calmasrymina@google.com\u003e\nLink: https://patch.msgid.link/20250527114152.3119109-1-dongchenchen2@huawei.com\nSigned-off-by: Jakub Kicinski \u003ckuba@kernel.org\u003e\n[ Minor context change fixed. ]\nSigned-off-by: Ruohan Lan \u003cruohanlan@aliyun.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/125581\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Daniel Velasquez \u003crdvelasquez@google.com\u003e\nReviewed-by: Angel Adetula \u003cangeladetula@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "8ce34d1c2e076161ed164b06626058012d6a4e72",
      "old_mode": 33188,
      "old_path": "net/core/page_pool.c",
      "new_id": "0172943c86d84e2b0366ef4e38e3e9de9865b435",
      "new_mode": 33188,
      "new_path": "net/core/page_pool.c"
    }
  ]
}