CVE-2025-38106

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38106
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38106.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38106
Downstream
Related
Published
2025-07-03T08:35:16Z
Modified
2025-10-16T01:58:39.367990Z
Summary
io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()
Details

In the Linux kernel, the following vulnerability has been resolved:

iouring: fix use-after-free of sq->thread in _iouringshow_fdinfo()

syzbot reports:

BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304

CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x53/0x70 printreport+0xd0/0x670 ? pfxrawspinlockirqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasanreport+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? pfxgetrusage+0x10/0x10 _iouringshowfdinfo+0x9fe/0x1790 ? ksysread+0xf7/0x1c0 ? dosyscall64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? _pfxiouringshowfdinfo+0x10/0x10 ? pfxvsnprintf+0x10/0x10 ? mutextrylock+0xcf/0x130 ? _pfxmutextrylock+0x10/0x10 ? _pfxshowfdlocks+0x10/0x10 ? iouringshowfdinfo+0x57/0x80 iouringshowfdinfo+0x57/0x80 seqshow+0x38c/0x690 seqreaditer+0x3f7/0x1180 ? inodesetctimecurrent+0x160/0x4b0 seqread+0x271/0x3e0 ? _pfxseqread+0x10/0x10 ? _pfxrawspinlock+0x10/0x10 ? markinodedirty+0x402/0x810 ? selinuxfilepermission+0x368/0x500 ? fileupdatetime+0x10f/0x160 vfsread+0x177/0xa40 ? _pfxhandlemmfault+0x10/0x10 ? _pfxvfsread+0x10/0x10 ? mutexlock+0x81/0xe0 ? _pfxmutexlock+0x10/0x10 ? fdgetpos+0x24d/0x4b0 ksysread+0xf7/0x1c0 ? _pfxksysread+0x10/0x10 ? douseraddrfault+0x43b/0x9c0 dosyscall64+0xa4/0x260 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK>

Allocated by task 298: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 _kasanslaballoc+0x6e/0x70 kmemcacheallocnodenoprof+0xe8/0x330 copyprocess+0x376/0x5e00 createiothread+0xab/0xf0 iosqoffloadcreate+0x9ed/0xf20 iouringsetup+0x12b0/0x1cc0 dosyscall64+0xa4/0x260 entrySYSCALL64after_hwframe+0x77/0x7f

Freed by task 22: kasansavestack+0x33/0x60 kasansavetrack+0x14/0x30 kasansavefreeinfo+0x3b/0x60 _kasanslabfree+0x37/0x50 kmemcachefree+0xc4/0x360 rcucore+0x5ff/0x19f0 handlesoftirqs+0x18c/0x530 runksoftirqd+0x20/0x30 smpbootthreadfn+0x287/0x6c0 kthread+0x30d/0x630 retfromfork+0xef/0x1a0 retfromforkasm+0x1a/0x30

Last potentially related work creation: kasansavestack+0x33/0x60 kasanrecordauxstack+0x8c/0xa0 _callrcucommon.constprop.0+0x68/0x940 _schedule+0xff2/0x2930 _condresched+0x4c/0x80 mutexlock+0x5c/0xe0 iouringdeltctxnode+0xe1/0x2b0 iouringcleantctx+0xb7/0x160 iouringcancelgeneric+0x34e/0x760 doexit+0x240/0x2350 dogroupexit+0xab/0x220 _x64sysexitgroup+0x39/0x40 x64syscall+0x1243/0x1840 dosyscall64+0xa4/0x260 entrySYSCALL64after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980)

which is caused by the taskstruct pointed to by sq->thread being released while it is being used in the function _iouringshowfdinfo(). Holding ctx->uringlock does not prevent ehre relase or exit of sq->thread.

Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3fcb9d17206e31630f802a3ab52081d1342b8ed9
Fixed
af8c13f9ee040b9a287ba246cf0055f7c77b7cc8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3fcb9d17206e31630f802a3ab52081d1342b8ed9
Fixed
d0932758a0a77b38ba1b39564f3b7aba12407061
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3fcb9d17206e31630f802a3ab52081d1342b8ed9
Fixed
ac0b8b327a5677dc6fecdf353d808161525b1ff0

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.8
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.12.34
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.3