CVE-2025-68245

In the Linux kernel, the following vulnerability has been resolved:

net: netpoll: fix incorrect refcount handling causing incorrect cleanup

commit efa95b01da18 (“netpoll: fix use after free”) incorrectly
ignored the refcount and prematurely set dev->npinfo to NULL during
netpoll cleanup, leading to improper behavior and memory leaks.

Scenario causing lack of proper cleanup:

1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is
allocated, and refcnt = 1
– Keep in mind that npinfo is shared among all netpoll instances. In
this case, there is just one.

2) Another netpoll is also associated with the same NIC and
npinfo->refcnt += 1.
– Now dev->npinfo->refcnt = 2;
– There is just one npinfo associated to the netdev.

3) When the first netpolls goes to clean up:
– The first cleanup succeeds and clears np->dev->npinfo, ignoring
refcnt.
– It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);`
– Set dev->npinfo = NULL, without proper cleanup
– No ->ndo_netpoll_cleanup() is either called

4) Now the second target tries to clean up
– The second cleanup fails because np->dev->npinfo is already NULL.
* In this case, ops->ndo_netpoll_cleanup() was never called, and
the skb pool is not cleaned as well (for the second netpoll
instance)
– This leaks npinfo and skbpool skbs, which is clearly reported by
kmemleak.

Revert commit efa95b01da18 (“netpoll: fix use after free”) and adds
clarifying comments emphasizing that npinfo cleanup should only happen
once the refcount reaches zero, ensuring stable and correct netpoll
behavior.

More information : https://git.kernel.org/stable/c/49c8d2c1f94cc2f4d1a108530d7ba52614b874c2