CVE-2025-38490

pagepoolputfullpage() should only be invoked when freeing Rx buffers or building a skb if the size is too short. At other times, the pages need to be reused. So remove the redundant page put. In the original code, double free pages cause kernel panic:

[ 876.949834] irqexitrcu+0xc7/0x130 [ 876.949836] commoninterrupt+0xb8/0xd0 [ 876.949838] </IRQ> [ 876.949838] <TASK> [ 876.949840] asmcommoninterrupt+0x22/0x40 [ 876.949841] RIP: 0010:cpuidleenterstate+0xc2/0x420 [ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d [ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246 [ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000 [ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e [ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed [ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580 [ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000 [ 876.949852] ? cpuidleenterstate+0xb3/0x420 [ 876.949855] cpuidleenter+0x29/0x40 [ 876.949857] cpuidleidlecall+0xfd/0x170 [ 876.949859] doidle+0x7a/0xc0 [ 876.949861] cpustartupentry+0x25/0x30 [ 876.949862] startsecondary+0x117/0x140 [ 876.949864] commonstartup64+0x13e/0x148 [ 876.949867] </TASK> [ 876.949868] ---[ end trace 0000000000000000 ]--- [ 876.949869] ------------[ cut here ]------------ [ 876.949870] listdel corruption, ffffead40445a348->next is NULL [ 876.949873] WARNING: CPU: 14 PID: 0 at lib/listdebug.c:52 _listdelentryvalidorreport+0x67/0x120 [ 876.949875] Modules linked in: sndhrtimer(E) bnep(E) binfmtmisc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amdatl(E) sndhdacodecrealtek(E) intelraplmsr(E) sndhdacodecgeneric(E) intelraplcommon(E) sndhdascodeccomponent(E) sndhdacodechdmi(E) sndhdaintel(E) edacmceamd(E) sndinteldspcfg(E) sndhdacodec(E) sndhdacore(E) amdxcp(E) kvmamd(E) sndhwdep(E) gpusched(E) drmpanelbacklightquirks(E) cec(E) sndpcm(E) drmbuddy(E) sndseqdummy(E) drmttmhelper(E) btusb(E) kvm(E) sndseqoss(E) btrtl(E) ttm(E) btintel(E) sndseqmidi(E) btbcm(E) drmexec(E) sndseqmidievent(E) i2calgobit(E) sndrawmidi(E) bluetooth(E) drmsuballochelper(E) irqbypass(E) sndseq(E) ghashclmulniintel(E) sha512ssse3(E) drmdisplayhelper(E) aesniintel(E) sndseqdevice(E) rfkill(E) sndtimer(E) gf128mul(E) drmclientlib(E) drmkmshelper(E) snd(E) i2cpiix4(E) joydev(E) soundcore(E) wmibmof(E) ccp(E) k10temp(E) i2csmbus(E) gpioamdpt(E) i2cdesignwareplatform(E) gpiogeneric(E) sg(E) [ 876.949914] i2cdesignwarecore(E) schfqcodel(E) parportpc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) iptables(E) ext4 crc16 mbcache jbd2 sdmod sfp mdioi2c i2ccore txgbe ahci ngbe pcsxpcs libahci libwx r8169 phylink libata realtek ptp ppscore video wmi [ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary) [ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNEDMODULE [ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 [ 876.949936] RIP: 0010:listdelentryvalidorreport+0x67/0x120 [ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff <0f> 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8 [ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282 [ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000 [ 876.949942] RDX: 0000000000000105 RSI: 00000 ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3c47e8ae113a68da47987750d9896e325d0aeedd

Fixed

3c91a56762b1f0d1e4af2d86c2cba83b61ed9eaa

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3c47e8ae113a68da47987750d9896e325d0aeedd

Fixed

08d18bda0d03f5ec376929a8c6c4495f9594593a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3c47e8ae113a68da47987750d9896e325d0aeedd

Fixed

003e4765d8661be97e650a833868c53d35574130

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

3c47e8ae113a68da47987750d9896e325d0aeedd

Fixed

1b7e585c04cd5f0731dd25ffd396277e55fae0e6

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.2

v6.15.3

v6.15.4

v6.15.5

v6.15.6

v6.15.7

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.2

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.6

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.7

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.8

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.9

v6.6.90

v6.6.91

v6.6.92

v6.6.93

v6.6.94

v6.6.95

v6.6.96

v6.6.97

v6.6.98

v6.6.99

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "114715641453145519168617012458996819349",
            "length": 254.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@003e4765d8661be97e650a833868c53d35574130",
        "target": {
            "function": "wx_put_rx_buffer",
            "file": "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
        },
        "id": "CVE-2025-38490-1987d19a"
    },
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "207020466341813132559558764900754946708",
            "length": 360.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1b7e585c04cd5f0731dd25ffd396277e55fae0e6",
        "target": {
            "function": "wx_dma_sync_frag",
            "file": "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
        },
        "id": "CVE-2025-38490-32751bdf"
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "12327944971527950794141572129173602072",
                "189274157432404984868770001833590143496",
                "182804766896084018529063451135043427441",
                "292898813646662278645092883082495301481"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@003e4765d8661be97e650a833868c53d35574130",
        "target": {
            "file": "drivers/net/ethernet/wangxun/libwx/wx_type.h"
        },
        "id": "CVE-2025-38490-636ce475"
    },
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "207020466341813132559558764900754946708",
            "length": 360.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@003e4765d8661be97e650a833868c53d35574130",
        "target": {
            "function": "wx_dma_sync_frag",
            "file": "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
        },
        "id": "CVE-2025-38490-77489e4f"
    },
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "247760240079476978539452737087138882523",
            "length": 673.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1b7e585c04cd5f0731dd25ffd396277e55fae0e6",
        "target": {
            "function": "wx_clean_rx_ring",
            "file": "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
        },
        "id": "CVE-2025-38490-7f62cbef"
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "20435648458976580040832965445835581046",
                "294994682861235386297332791185774163903",
                "108850280533099668525327655374981294045",
                "134296732771623202330093874010518903752",
                "300518997347515399546519882408171885578",
                "130496835186366643633352636916553065140",
                "335318612319046177695418375378501003098",
                "161162081336000502309826918642038385102",
                "219422028191872230945093939382028215436",
                "126487944853945941068674831426064982668",
                "323892136854917668033551187957011258924",
                "165393485751054213116120108779549530821",
                "36951110054388449945532217041108555255",
                "329472150199210568132601205950620285809",
                "158310670021769027854717549270746442778"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1b7e585c04cd5f0731dd25ffd396277e55fae0e6",
        "target": {
            "file": "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
        },
        "id": "CVE-2025-38490-96564096"
    },
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "247760240079476978539452737087138882523",
            "length": 673.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@003e4765d8661be97e650a833868c53d35574130",
        "target": {
            "function": "wx_clean_rx_ring",
            "file": "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
        },
        "id": "CVE-2025-38490-9e29d55c"
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "20435648458976580040832965445835581046",
                "294994682861235386297332791185774163903",
                "108850280533099668525327655374981294045",
                "134296732771623202330093874010518903752",
                "300518997347515399546519882408171885578",
                "130496835186366643633352636916553065140",
                "335318612319046177695418375378501003098",
                "161162081336000502309826918642038385102",
                "219422028191872230945093939382028215436",
                "126487944853945941068674831426064982668",
                "323892136854917668033551187957011258924",
                "165393485751054213116120108779549530821",
                "36951110054388449945532217041108555255",
                "329472150199210568132601205950620285809",
                "158310670021769027854717549270746442778"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@003e4765d8661be97e650a833868c53d35574130",
        "target": {
            "file": "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
        },
        "id": "CVE-2025-38490-bc3f0790"
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "12327944971527950794141572129173602072",
                "189274157432404984868770001833590143496",
                "182804766896084018529063451135043427441",
                "292898813646662278645092883082495301481"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1b7e585c04cd5f0731dd25ffd396277e55fae0e6",
        "target": {
            "file": "drivers/net/ethernet/wangxun/libwx/wx_type.h"
        },
        "id": "CVE-2025-38490-cde30345"
    },
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "114715641453145519168617012458996819349",
            "length": 254.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1b7e585c04cd5f0731dd25ffd396277e55fae0e6",
        "target": {
            "function": "wx_put_rx_buffer",
            "file": "drivers/net/ethernet/wangxun/libwx/wx_lib.c"
        },
        "id": "CVE-2025-38490-e6df935b"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.6.100

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.40

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.8