OESA-2025-2656

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

spufs: fix a leak on spufsnewfile() failure

It's called from spufsfilldir(), and caller of that will do spufs_rmdir() in case of failure. That does remove everything we'd managed to create, but... the problem dentry is still negative. IOW, it needs to be explicitly dropped.(CVE-2025-22073)

In the Linux kernel, the following vulnerability has been resolved:

i2c: cros-ec-tunnel: defer probe if parent EC is not present

When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent device will not be found, leading to NULL pointer dereference.

That can also be reproduced by unbinding the controller driver and then loading i2c-cros-ec-tunnel module (or binding the device).

[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 271.998215] #PF: supervisor read access in kernel mode [ 272.003351] #PF: errorcode(0x0000) - not-present page [ 272.008485] PGD 0 P4D 0 [ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI [ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5 [ 272.030312] Tainted: [S]=CPUOUTOFSPEC [ 272.034233] Hardware name: HP Berknip/Berknip, BIOS GoogleBerknip.13434.356.0 05/17/2021 [ 272.042400] RIP: 0010:eci2cprobe+0x2b/0x1c0 [i2ccrosectunnel] [ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9 [ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282 [ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000 [ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00 [ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000 [ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000 [ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10 [ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000 [ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0 [ 272.129155] Call Trace: [ 272.131606] <TASK> [ 272.133709] ? acpidevpmattach+0xdd/0x110 [ 272.137985] platformprobe+0x69/0xa0 [ 272.141652] reallyprobe+0x152/0x310 [ 272.145318] _driverprobedevice+0x77/0x110 [ 272.149678] driverprobedevice+0x1e/0x190 [ 272.153864] _driverattach+0x10b/0x1e0 [ 272.157790] ? driverattach+0x20/0x20 [ 272.161542] busforeachdev+0x107/0x150 [ 272.165553] busadddriver+0x15d/0x270 [ 272.169392] driverregister+0x65/0x110 [ 272.173232] ? cleanupmodule+0xa80/0xa80 [i2ccrosectunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698] [ 272.182617] dooneinitcall+0x110/0x350 [ 272.186543] ? securitykernfsinitsecurity+0x49/0xd0 [ 272.191682] ? _kernfsnewnode+0x1b9/0x240 [ 272.195954] ? securitykernfsinitsecurity+0x49/0xd0 [ 272.201093] ? _kernfsnewnode+0x1b9/0x240 [ 272.205365] ? kernfslinksibling+0x105/0x130 [ 272.209810] ? kernfsnextdescendantpost+0x1c/0xa0 [ 272.214773] ? kernfsactivate+0x57/0x70 [ 272.218699] ? kernfsaddone+0x118/0x160 [ 272.222710] ? _kernfscreatefile+0x71/0xa0 [ 272.227069] ? sysfsaddbinfilemodens+0xd6/0x110 [ 272.232033] ? internalcreategroup+0x453/0x4a0 [ 272.236651] ? _vunmaprangenoflush+0x214/0x2d0 [ 272.241355] ? _freefrozenpages+0x1dc/0x420 [ 272.245799] ? freevmapareanoflush+0x10a/0x1c0 [ 272.250505] ? loadmodule+0x1509/0x16f0 [ 272.254431] doinitmodule+0x60/0x230 [ 272.258181] _sesysfinitmodule+0x27a/0x370 [ 272.262627] dosyscall64+0x6a/0xf0 [ 272.266206] ? dosyscall64+0x76/0xf0 [ 272.269956] ? irqentryexittousermode+0x79/0x90 [ 272.274836] entrySYSCALL64afterhwframe+0x55/0x5d [ 272.279887] RIP: 0033:0x7b9309168d39 [ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8 [ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIGRAX: 000 ---truncated---(CVE-2025-37781)

In the Linux kernel, the following vulnerability has been resolved:

drm/hisilicon/hibmc: fix the hibmc loaded failed bug

When hibmc loaded failed, the driver use hibmcunload to free the resource, but the mutexes in mode.config are not init, which will access an NULL pointer. Just change goto statement to return, because hibnchw_init() doesn't need to free anything.(CVE-2025-39772)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix wrong index reference in smb2compoundop()

In smb2compoundop(), the loop that processes each command's response uses wrong indices when accessing response bufferes.

This incorrect indexing leads to improper handling of command results. Also, if incorrectly computed index is greather than or equal to MAX_COMPOUND, it can cause out-of-bounds accesses.(CVE-2025-39975)

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O

When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1 (or host userspace) modifies the I/O permission bitmaps during the exit to userspace, KVM will treat the access as being intercepted despite already having emulated the I/O access.

Pivot on EMULTYPENODECODE to detect that KVM is completing emulation. Of the three users of EMULTYPENODECODE, only completeemulatedio() (the intended "recipient") can reach the code in question. gpinterception()'s use is mutually exclusive with isguestmode(), and completeemulatedinsngp() unconditionally pairs EMULTYPENODECODE with EMULTYPE_SKIP.

The bad behavior was detected by a syzkaller program that toggles port I/O interception during the userspace I/O exit, ultimately resulting in a WARN on vcpu->arch.pio.count being non-zero due to KVM no completing emulation of the I/O instruction.

WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulatorpioinout+0x154/0x170 [kvm] Modules linked in: kvmintel kvm irqbypass CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:emulatorpioinout+0x154/0x170 [kvm] PKRU: 55555554 Call Trace: <TASK> kvmfastpio+0xd6/0x1d0 [kvm] vmxhandleexit+0x149/0x610 [kvmintel] kvmarchvcpuioctlrun+0xda8/0x1ac0 [kvm] kvmvcpuioctl+0x244/0x8c0 [kvm] _x64sysioctl+0x8a/0xd0 dosyscall64+0x5d/0xc60 entrySYSCALL64after_hwframe+0x4b/0x53 </TASK>(CVE-2025-40026)

In the Linux kernel, the following vulnerability has been resolved:

fs: udf: fix OOB read in lengthAllocDescs handling

When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udfupdatetag() to call crcitut() on out-of-bounds memory and trigger a KASAN use-after-free read.

BUG: KASAN: use-after-free in crcitut+0x1d5/0x2b0 lib/crc-itu-t.c:60 Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309

CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:377 [inline] printreport+0x169/0x550 mm/kasan/report.c:488 kasanreport+0x143/0x180 mm/kasan/report.c:601 crcitut+0x1d5/0x2b0 lib/crc-itu-t.c:60 udfupdatetag+0x70/0x6a0 fs/udf/misc.c:261 udfwriteaext+0x4d8/0x7b0 fs/udf/inode.c:2179 extenttrunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udftruncatetailextent+0x527/0x7e0 fs/udf/truncate.c:106 udfreleasefile+0xc1/0x120 fs/udf/file.c:185 _fput+0x23f/0x880 fs/filetable.c:431 taskworkrun+0x24f/0x310 kernel/taskwork.c:239 exittaskwork include/linux/taskwork.h:43 [inline] doexit+0xa2f/0x28e0 kernel/exit.c:939 dogroupexit+0x207/0x2c0 kernel/exit.c:1088 _dosysexitgroup kernel/exit.c:1099 [inline] _sesysexitgroup kernel/exit.c:1097 [inline] _x64sysexitgroup+0x3f/0x40 kernel/exit.c:1097 x64syscall+0x2634/0x2640 arch/x86/include/generated/asm/syscalls64.h:232 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f </TASK>

Validate the computed total length against epos->bh->b_size.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2025-40044)

In the Linux kernel, the following vulnerability has been resolved:

nbd: restrict sockets to TCP and UDP

Recently, syzbot started to abuse NBD with all kinds of sockets.

Commit cf1b2326b734 ("nbd: verify socket is supported during setup") made sure the socket supported a shutdown() method.

Explicitely accept TCP and UNIX stream sockets.(CVE-2025-40080)