CVE-2025-37894

In the Linux kernel, the following vulnerability has been resolved:

net: use sockgenput() when skstate is TCPTIME_WAIT

It is possible for a pointer of type struct inettimewaitsock to be returned from the functions _inetlookupestablished() and _inet6lookupestablished(). This can cause a crash when the returned pointer is of type struct inettimewaitsock and sockput() is called on it. The following is a crash call stack that shows sk->skwmemalloc being accessed in skfree() during the call to sockput() on a struct inettimewaitsock pointer. To avoid this issue, use sockgenput() instead of sockput() when sk->skstate is TCPTIME_WAIT.

mrdump.ko ipanic() + 120 vmlinux notifiercallchain(nrtocall=-1, nrcalls=0) + 132 vmlinux atomicnotifiercallchain(val=0) + 56 vmlinux panic() + 344 vmlinux addtaint() + 164 vmlinux endreport() + 136 vmlinux kasanreport(size=0) + 236 vmlinux reporttagfault() + 16 vmlinux dotagrecovery() + 16 vmlinux _dokernelfault() + 88 vmlinux dobadarea() + 28 vmlinux dotagcheckfault() + 60 vmlinux domemabort() + 80 vmlinux el1abort() + 56 vmlinux el1h64synchandler() + 124 vmlinux > 0xFFFFFFC080011294() vmlinux _lseatomicfetchaddrelease(v=0xF2FFFF82A896087C) vmlinux _lseatomicfetchsubrelease(v=0xF2FFFF82A896087C) vmlinux archatomicfetchsubrelease(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux rawatomicfetchsubrelease(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux atomicfetchsubrelease(i=1, v=0xF2FFFF82A896087C) + 8 vmlinux _refcountsubandtest(i=1, r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux _refcountdecandtest(r=0xF2FFFF82A896087C, oldp=0) + 8 vmlinux refcountdecandtest(r=0xF2FFFF82A896087C) + 8 vmlinux skfree(sk=0xF2FFFF82A8960700) + 28 vmlinux sockput() + 48 vmlinux tcp6checkfraglistgro() + 236 vmlinux tcp6groreceive() + 624 vmlinux ipv6groreceive() + 912 vmlinux devgroreceive() + 1116 vmlinux napigroreceive() + 196 ccmni.ko ccmnirxcallback() + 208 ccmni.ko ccmniqueuerecvskb() + 388 cccidpmaif.ko dpmaifrxqpush_thread() + 1088 vmlinux kthread() + 268 vmlinux 0xFFFFFFC08001F30C()