CVE-2025-21953

In the Linux kernel, the following vulnerability has been resolved:

net: mana: cleanup mana struct after debugfs_remove()

When on a MANA VM hibernation is triggered, as part of hibernatesnapshot(), managdsuspend() and managdresume() are called. If during this managdresume(), a failure occurs with HWC creation, manaportdebugfs pointer does not get reinitialized and ends up pointing to older, cleaned-up dentry. Further in the hibernation path, as part of powerdown(), managdshutdown() is triggered. This call, unaware of the failures in resume, tries to cleanup the already cleaned up manaportdebugfs value and hits the following bug:

[ 191.359296] mana 7870:00:00.0: Shutdown was called [ 191.359918] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 191.360584] #PF: supervisor write access in kernel mode [ 191.361125] #PF: errorcode(0x0002) - not-present page [ 191.361727] PGD 1080ea067 P4D 0 [ 191.362172] Oops: Oops: 0002 [#1] SMP NOPTI [ 191.362606] CPU: 11 UID: 0 PID: 1674 Comm: bash Not tainted 6.14.0-rc5+ #2 [ 191.363292] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024 [ 191.364124] RIP: 0010:downwrite+0x19/0x50 [ 191.364537] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 53 48 89 fb e8 de cd ff ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 16 65 48 8b 05 88 24 4c 6a 48 89 43 08 48 8b 5d [ 191.365867] RSP: 0000:ff45fbe0c1c037b8 EFLAGS: 00010246 [ 191.366350] RAX: 0000000000000000 RBX: 0000000000000098 RCX: ffffff8100000000 [ 191.366951] RDX: 0000000000000001 RSI: 0000000000000064 RDI: 0000000000000098 [ 191.367600] RBP: ff45fbe0c1c037c0 R08: 0000000000000000 R09: 0000000000000001 [ 191.368225] R10: ff45fbe0d2b01000 R11: 0000000000000008 R12: 0000000000000000 [ 191.368874] R13: 000000000000000b R14: ff43dc27509d67c0 R15: 0000000000000020 [ 191.369549] FS: 00007dbc5001e740(0000) GS:ff43dc663f380000(0000) knlGS:0000000000000000 [ 191.370213] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 191.370830] CR2: 0000000000000098 CR3: 0000000168e8e002 CR4: 0000000000b73ef0 [ 191.371557] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 191.372192] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 191.372906] Call Trace: [ 191.373262] <TASK> [ 191.373621] ? showregs+0x64/0x70 [ 191.374040] ? _die+0x24/0x70 [ 191.374468] ? pagefaultoops+0x290/0x5b0 [ 191.374875] ? douseraddrfault+0x448/0x800 [ 191.375357] ? excpagefault+0x7a/0x160 [ 191.375971] ? asmexcpagefault+0x27/0x30 [ 191.376416] ? downwrite+0x19/0x50 [ 191.376832] ? downwrite+0x12/0x50 [ 191.377232] simplerecursiveremoval+0x4a/0x2a0 [ 191.377679] ? _pfxremoveone+0x10/0x10 [ 191.378088] debugfsremove+0x44/0x70 [ 191.378530] manadetach+0x17c/0x4f0 [ 191.378950] ? _flushwork+0x1e2/0x3b0 [ 191.379362] ? _condresched+0x1a/0x50 [ 191.379787] manaremove+0xf2/0x1a0 [ 191.380193] managdshutdown+0x3b/0x70 [ 191.380642] pcideviceshutdown+0x3a/0x80 [ 191.381063] deviceshutdown+0x13e/0x230 [ 191.381480] kernelpoweroff+0x35/0x80 [ 191.381890] hibernate+0x3c6/0x470 [ 191.382312] statestore+0xcb/0xd0 [ 191.382734] kobjattrstore+0x12/0x30 [ 191.383211] sysfskfwrite+0x3e/0x50 [ 191.383640] kernfsfopwriteiter+0x140/0x1d0 [ 191.384106] vfswrite+0x271/0x440 [ 191.384521] ksyswrite+0x72/0xf0 [ 191.384924] _x64syswrite+0x19/0x20 [ 191.385313] x64syscall+0x2b0/0x20b0 [ 191.385736] dosyscall64+0x79/0x150 [ 191.386146] ? _modmemcglruvecstate+0xe7/0x240 [ 191.386676] ? _lruvecstatmodfolio+0x79/0xb0 [ 191.387124] ? _pfxlruadd+0x10/0x10 [ 191.387515] ? queuedspinunlock+0x9/0x10 [ 191.387937] ? doanonymouspage+0x33c/0xa00 [ 191.388374] ? _handlemmfault+0xcf3/0x1210 [ 191.388805] ? _countmemcgevents+0xbe/0x180 [ 191.389235] ? handlemm_fault+0xae/0x300 [ 19 ---truncated---