OESA-2025-1201
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1201
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2025-1201.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2025-1201
- Upstream
- Published
- 2025-02-28T15:33:05Z
- Modified
- 2025-08-12T05:47:15.490491Z
- Summary
- kernel security update
- Details
-
The Linux Kernel, the operating system core itself.
Security Fix(es):
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix usage slab after free
[ +0.000021] BUG: KASAN: slab-use-after-free in drmschedentityflush+0x6cb/0x7a0 [gpusched] [ +0.000027] Read of size 8 at addr ffff8881b8605f88 by task amdpciunplug/2147
[ +0.000023] CPU: 6 PID: 2147 Comm: amdpciunplug Not tainted 6.10.0+ #1 [ +0.000016] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000016] Call Trace: [ +0.000008] <TASK> [ +0.000009] dumpstacklvl+0x76/0xa0 [ +0.000017] printreport+0xce/0x5f0 [ +0.000017] ? drmschedentityflush+0x6cb/0x7a0 [gpusched] [ +0.000019] ? srsoreturnthunk+0x5/0x5f [ +0.000015] ? kasancompletemodereportinfo+0x72/0x200 [ +0.000016] ? drmschedentityflush+0x6cb/0x7a0 [gpusched] [ +0.000019] kasanreport+0xbe/0x110 [ +0.000015] ? drmschedentityflush+0x6cb/0x7a0 [gpusched] [ +0.000023] _asanreportload8noabort+0x14/0x30 [ +0.000014] drmschedentityflush+0x6cb/0x7a0 [gpusched] [ +0.000020] ? srsoreturnthunk+0x5/0x5f [ +0.000013] ? _kasancheckwrite+0x14/0x30 [ +0.000016] ? _pfxdrmschedentityflush+0x10/0x10 [gpusched] [ +0.000020] ? srsoreturnthunk+0x5/0x5f [ +0.000013] ? _kasancheckwrite+0x14/0x30 [ +0.000013] ? srsoreturnthunk+0x5/0x5f [ +0.000013] ? enablework+0x124/0x220 [ +0.000015] ? _pfxenablework+0x10/0x10 [ +0.000013] ? srsoreturnthunk+0x5/0x5f [ +0.000014] ? freelargekmalloc+0x85/0xf0 [ +0.000016] drmschedentitydestroy+0x18/0x30 [gpusched] [ +0.000020] amdgpuvceswfini+0x55/0x170 [amdgpu] [ +0.000735] ? _kasancheckread+0x11/0x20 [ +0.000016] vcev40swfini+0x80/0x110 [amdgpu] [ +0.000726] amdgpudevicefinisw+0x331/0xfc0 [amdgpu] [ +0.000679] ? mutexunlock+0x80/0xe0 [ +0.000017] ? _pfxamdgpudevicefinisw+0x10/0x10 [amdgpu] [ +0.000662] ? srsoreturnthunk+0x5/0x5f [ +0.000014] ? _kasancheckwrite+0x14/0x30 [ +0.000013] ? srsoreturnthunk+0x5/0x5f [ +0.000013] ? mutexunlock+0x80/0xe0 [ +0.000016] amdgpudriverreleasekms+0x16/0x80 [amdgpu] [ +0.000663] drmminorrelease+0xc9/0x140 [drm] [ +0.000081] drmrelease+0x1fd/0x390 [drm] [ +0.000082] _fput+0x36c/0xad0 [ +0.000018] _fputsync+0x3c/0x50 [ +0.000014] _x64sysclose+0x7d/0xe0 [ +0.000014] x64syscall+0x1bc6/0x2680 [ +0.000014] dosyscall64+0x70/0x130 [ +0.000014] ? srsoreturnthunk+0x5/0x5f [ +0.000014] ? irqentryexittousermode+0x60/0x190 [ +0.000015] ? srsoreturnthunk+0x5/0x5f [ +0.000014] ? irqentryexit+0x43/0x50 [ +0.000012] ? srsoreturnthunk+0x5/0x5f [ +0.000013] ? excpagefault+0x7c/0x110 [ +0.000015] entrySYSCALL64afterhwframe+0x76/0x7e [ +0.000014] RIP: 0033:0x7ffff7b14f67 [ +0.000013] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff [ +0.000026] RSP: 002b:00007fffffffe378 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ +0.000019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffff7b14f67 [ +0.000014] RDX: 0000000000000000 RSI: 00007ffff7f6f47a RDI: 0000000000000003 [ +0.000014] RBP: 00007fffffffe3a0 R08: 0000555555569890 R09: 0000000000000000 [ +0.000014] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffffffe5c8 [ +0.000013] R13: 00005555555552a9 R14: 0000555555557d48 R15: 00007ffff7ffd040 [ +0.000020] </TASK>
[ +0.000016] Allocated by task 383 on cpu 7 at 26.880319s: [ +0.000014] kasansavestack+0x28/0x60 [ +0.000008] kasansavetrack+0x18/0x70 [ +0.000007] kasansaveallocinfo+0x38/0x60 [ +0.000007] _kasankmalloc+0xc1/0xd0 [ +0.000007] kmalloctracenoprof+0x180/0x380 [ +0.000007] drmschedinit+0x411/0xec0 [gpusched] [ +0.000012] amdgpudeviceinit+0x695f/0xa610 [amdgpu] [ +0.000658] amdgpudriverloadkms+0x1a/0x120 [amdgpu] [ +0.000662] amdgpupci_p ---truncated---(CVE-2024-56551)
In the Linux kernel, the following vulnerability has been resolved:
net: defer final 'struct net' free in netns dismantle
Ilya reported a slab-use-after-free in dst_destroy [1]
Issue is in xfrm6netinit() and xfrm4netinit() :
They copy xfrm[46]dstopstemplate into net->xfrm.xfrm[46]dst_ops.
But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later :
if (dst->ops->destroy) dst->ops->destroy(dst);
dst->ops points to the old net->xfrm.xfrm[46]dstops, which has been freed.
See a relevant issue fixed in :
ac888d58869b ("net: do not delay dstentriesadd() in dst_release()")
A fix is to queue the 'struct net' to be freed after one another cleanupnet() round (and existing rcubarrier())
[1]
BUG: KASAN: slab-use-after-free in dstdestroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: <IRQ> dumpstacklvl (lib/dumpstack.c:124) printaddressdescription.constprop.0 (mm/kasan/report.c:378) ? dstdestroy (net/core/dst.c:112) printreport (mm/kasan/report.c:489) ? dstdestroy (net/core/dst.c:112) ? kasanaddrtoslab (mm/kasan/common.c:37) kasanreport (mm/kasan/report.c:603) ? dstdestroy (net/core/dst.c:112) ? rcudobatch (kernel/rcu/tree.c:2567) dstdestroy (net/core/dst.c:112) rcudobatch (kernel/rcu/tree.c:2567) ? _pfxrcudobatch (kernel/rcu/tree.c:2491) ? lockdephardirqsonprepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcucore (kernel/rcu/tree.c:2825) handlesoftirqs (kernel/softirq.c:554) _irqexitrcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irqexitrcu (kernel/softirq.c:651) sysvecapictimerinterrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) </IRQ> <TASK> asmsysvecapictimerinterrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:defaultidle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ctkernelexit.constprop.0 (kernel/contexttracking.c:148) ? cpuidleidlecall (kernel/sched/idle.c:186) defaultidlecall (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidleidlecall (kernel/sched/idle.c:186) ? _pfxcpuidleidlecall (kernel/sched/idle.c:168) ? lockrelease (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdephardirqsonprepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tscverifytscadjust (arch/x86/kernel/tscsync.c:59) doidle (kernel/sched/idle.c:326) cpustartupentry (kernel/sched/idle.c:423 (discriminator 1)) startsecondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? _pfxstartsecondary (arch/x86/kernel/smpboot.c:232) ? softrestartcpu (arch/x86/kernel/head64.S:452) commonstartup64 (arch/x86/kernel/head64.S:414) </TASK> Dec 03 05:46:18 kernel: Allocated by task 12184: kasansavestack (mm/kasan/common.c:48) kasansavetrack (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) _kasanslaballoc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmemcacheallocnoprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copynetns (net/core/netnamespace.c:421 net/core/netnamespace.c:480) createnew_namespaces ---truncated---(CVE-2024-56658)
- Database specific
{ "severity": "High" }- References
Affected packages
openEuler:20.03-LTS-SP4 / kernel
Package
- Name
- kernel
- Purl
- pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP4
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.19.90-2502.4.0.0317.oe2003sp4
Ecosystem specific
{
"src": [
"kernel-4.19.90-2502.4.0.0317.oe2003sp4.src.rpm"
],
"x86_64": [
"bpftool-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"bpftool-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"kernel-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"kernel-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"kernel-debugsource-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"kernel-devel-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"kernel-source-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"kernel-tools-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"kernel-tools-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"kernel-tools-devel-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"perf-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"perf-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"python2-perf-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"python2-perf-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"python3-perf-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm",
"python3-perf-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.x86_64.rpm"
],
"aarch64": [
"bpftool-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"bpftool-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"kernel-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"kernel-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"kernel-debugsource-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"kernel-devel-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"kernel-source-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"kernel-tools-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"kernel-tools-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"kernel-tools-devel-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"perf-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"perf-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"python2-perf-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"python2-perf-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"python3-perf-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm",
"python3-perf-debuginfo-4.19.90-2502.4.0.0317.oe2003sp4.aarch64.rpm"
]
}