CVE-2025-22103

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: fix NULL pointer dereference in l3mdev_l3_rcv

When delete l3s ipvlan:

ip link del link eth0 ipvlan1 type ipvlan mode l3s

This may cause a null pointer dereference:

Call trace:
 ip_rcv_finish+0x48/0xd0
 ip_rcv+0x5c/0x100
 __netif_receive_skb_one_core+0x64/0xb0
 __netif_receive_skb+0x20/0x80
 process_backlog+0xb4/0x204
 napi_poll+0xe8/0x294
 net_rx_action+0xd8/0x22c
 __do_softirq+0x12c/0x354

This is because l3mdev_l3_rcv() visit dev->l3mdev_ops after ipvlan_l3s_unregister() assign the dev->l3mdev_ops to NULL. The process like this:

(CPU1)                     | (CPU2)
l3mdev_l3_rcv()            |
  check dev->priv_flags:   |
    master = skb->dev;     |
                           |
                           | ipvlan_l3s_unregister()
                           |   set dev->priv_flags
                           |   dev->l3mdev_ops = NULL;
                           |
  visit master->l3mdev_ops |

To avoid this by do not set dev->l3mdev_ops when unregister l3s ipvlan.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc675e06a98a474f7ad0af32ce467613da818da52 < 52b44d8c653459c658b733d13658afdde45f6836affected
LinuxLinuxc675e06a98a474f7ad0af32ce467613da818da52 < 59599bce44af3df7a215ebc81cb166426e1c9204affected
LinuxLinuxc675e06a98a474f7ad0af32ce467613da818da52 < f9dff65140efc289f01bcf39c3ca66a8806b6132affected
LinuxLinuxc675e06a98a474f7ad0af32ce467613da818da52 < 0032c99e83b9ce6d5995d65900aa4b6ffb501cceaffected
LinuxLinux5.1affected
LinuxLinux0 < 5.1unaffected
LinuxLinux6.6.117 <= 6.6.*unaffected
LinuxLinux6.12.46 <= 6.12.*unaffected
LinuxLinux6.14.2 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

References