APPLIED: [SRU][N][PATCH 0/1] CVE-2025-40297

Stefan Bader stefan.bader at canonical.com
Thu Jan 8 14:34:01 UTC 2026 

On 07/01/2026 02:54, Tim Whisonant wrote:
> SRU Justification:
> 
> [Impact]
> 
> net: bridge: fix use-after-free due to MST port state bypass
> 
> syzbot reported[1] a use-after-free when deleting an expired fdb. It is
> due to a race condition between learning still happening and a port being
> deleted, after all its fdbs have been flushed. The port's state has been
> toggled to disabled so no learning should happen at that time, but if we
> have MST enabled, it will bypass the port's state, that together with VLAN
> filtering disabled can lead to fdb learning at a time when it shouldn't
> happen while the port is being deleted. VLAN filtering must be disabled
> because we flush the port VLANs when it's being deleted which will stop
> learning. This fix adds a check for the port's vlan group which is
> initialized to NULL when the port is getting deleted, that avoids the port
> state bypass. When MST is enabled there would be a minimal new overhead
> in the fast-path because the port's vlan group pointer is cache-hot.
> 
> [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be
> 
> [Fix]
> 
> Questing: fixed separately
> Noble:    cherry picked from upstream
> Jammy:    not affected
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
> 
> [Test Plan]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The changes prevent a use-after-free scenario in the networking
> stack, specifically when deleting a forwarding database when
> in Multiple Spanning Tree mode. Issues might appear as errors
> in the port learning and fowarding state machine.
> 
> Nikolay Aleksandrov (1):
>    net: bridge: fix use-after-free due to MST port state bypass
> 
>   net/bridge/br_forward.c | 2 +-
>   net/bridge/br_input.c   | 4 ++--
>   net/bridge/br_private.h | 8 +++++---
>   3 files changed, 8 insertions(+), 6 deletions(-)
> 


Applied to noble:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260108/c72fd5a2/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260108/c72fd5a2/attachment-0001.sig>

More information about the kernel-team mailing list