CVE-2025-71102

In the Linux kernel, the following vulnerability has been resolved:

scs: fix a wrong parameter in _scsmagic

_scsmagic() needs a 'void *' variable, but a 'struct taskstruct *' is given. 'taskscs(tsk)' is the starting address of the task's shadow call stack, and '__scsmagic(taskscs(tsk))' is the end address of the task's shadow call stack. Here should be '__scsmagic(taskscs(tsk))'.

The user-visible effect of this bug is that when CONFIGDEBUGSTACKUSAGE is enabled, the shadow call stack usage checking function (scscheck_usage) would scan an incorrect memory range. This could lead

1. Inaccurate stack usage reporting: The function would calculate wrong usage statistics for the shadow call stack, potentially showing incorrect value in kmsg.

2. Potential kernel crash: If the value of __scs_magic(tsk)is greater than that of __scsmagic(taskscs(tsk)), the for loop may access unmapped memory, potentially causing a kernel panic. However, this scenario is unlikely because taskstruct is allocated via the slab allocator (which typically returns lower addresses), while the shadow call stack returned by taskscs(tsk) is allocated via vmalloc(which typically returns higher addresses).

However, since this is purely a debugging feature (CONFIGDEBUGSTACK_USAGE), normal production systems should be not unaffected. The bug only impacts developers and testers who are actively debugging stack usage with this configuration enabled.