OESA-2025-1434

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

ASoC: atmel: Fix error handling in sndprotoprobe

The devicenode pointer is returned by ofparsephandle() with refcount incremented. We should use ofnode_put() on it when done.

This function only calls ofnodeput() in the regular path. And it will cause refcount leak in error paths. Fix this by calling ofnodeput() in error handling too.(CVE-2022-49246)

In the Linux kernel, the following vulnerability has been resolved:

mt76: fix use-after-free by removing a non-RCU wcid pointer

Fixes an issue caught by KASAN about use-after-free in mt76txqschedule by protecting mtxq->wcid with rculock between mt76txqschedule and stainfo_[alloc, free].

[18853.876689] ================================================================== [18853.876751] BUG: KASAN: use-after-free in mt76txqschedule+0x204/0xaf8 [mt76] [18853.876773] Read of size 8 at addr ffffffaf989a2138 by task mt76-tx phy0/883 [18853.876786] [18853.876810] CPU: 5 PID: 883 Comm: mt76-tx phy0 Not tainted 5.10.100-fix-510-56778d365941-kasan #5 0b01fbbcf41a530f52043508fec2e31a4215

[18853.876840] Call trace: [18853.876861] dumpbacktrace+0x0/0x3ec [18853.876878] showstack+0x20/0x2c [18853.876899] dumpstack+0x11c/0x1ac [18853.876918] printaddressdescription+0x74/0x514 [18853.876934] kasanreport+0x134/0x174 [18853.876948] asanreportload8noabort+0x44/0x50 [18853.876976] mt76txqschedule+0x204/0xaf8 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2] [18853.877002] mt76txqscheduleall+0x2c/0x48 [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2] [18853.877030] mt7921txworker+0xa0/0x1cc [mt7921common f0875ebac9d7b4754e1010549e7db50fbd90a047] [18853.877054] _mt76workerfn+0x190/0x22c [mt76 074e03e4640e97fe7405ee1fab547b81c4fa45d2] [18853.877071] kthread+0x2f8/0x3b8 [18853.877087] retfromfork+0x10/0x30 [18853.877098] [18853.877112] Allocated by task 941: [18853.877131] kasansavestack+0x38/0x68 [18853.877147] _kasankmalloc+0xd4/0xfc [18853.877163] kasankmalloc+0x10/0x1c [18853.877177] _kmalloc+0x264/0x3c4 [18853.877294] stainfoalloc+0x460/0xf88 [mac80211] [18853.877410] ieee80211prepconnection+0x204/0x1ee0 [mac80211] [18853.877523] ieee80211mgdauth+0x6c4/0xa4c [mac80211] [18853.877635] ieee80211auth+0x20/0x2c [mac80211] [18853.877733] rdevauth+0x7c/0x438 [cfg80211] [18853.877826] cfg80211mlmeauth+0x26c/0x390 [cfg80211] [18853.877919] nl80211authenticate+0x6d4/0x904 [cfg80211] [18853.877938] genlrcvmsg+0x748/0x93c [18853.877954] netlinkrcvskb+0x160/0x2a8 [18853.877969] genlrcv+0x3c/0x54 [18853.877985] netlinkunicastkernel+0x104/0x1ec [18853.877999] netlinkunicast+0x178/0x268 [18853.878015] netlinksendmsg+0x3cc/0x5f0 [18853.878030] socksendmsg+0xb4/0xd8 [18853.878043] _syssendmsg+0x2f8/0x53c [18853.878058] _syssendmsg+0xe8/0x150 [18853.878071] _syssendmsg+0xc4/0x1f4 [18853.878087] _arm64compatsyssendmsg+0x88/0x9c [18853.878101] el0svccommon+0x1b4/0x390 [18853.878115] doel0svccompat+0x8c/0xdc [18853.878131] el0svccompat+0x10/0x1c [18853.878146] el0synccompathandler+0xa8/0xcc [18853.878161] el0synccompat+0x188/0x1c0 [18853.878171] [18853.878183] Freed by task 10927: [18853.878200] kasansavestack+0x38/0x68 [18853.878215] kasansettrack+0x28/0x3c [18853.878228] kasansetfreeinfo+0x24/0x48 [18853.878244] _kasanslabfree+0x11c/0x154 [18853.878259] kasanslabfree+0x14/0x24 [18853.878273] slabfreefreelisthook+0xac/0x1b0 [18853.878287] kfree+0x104/0x390 [18853.878402] stainfofree+0x198/0x210 [mac80211] [18853.878515] _stainfodestroypart2+0x230/0x2d4 [mac80211] [18853.878628] _stainfoflush+0x300/0x37c [mac80211] [18853.878740] ieee80211setdisassoc+0x2cc/0xa7c [mac80211] [18853.878851] ieee80211mgddeauth+0x4a4/0x10a0 [mac80211] [18853.878962] ieee80211deauth+0x20/0x2c [mac80211] [18853.879057] rdevdeauth+0x7c/0x438 [cfg80211] [18853.879150] cfg80211mlmedeauth+0x274/0x414 [cfg80211] [18853.879243] cfg80211mlmedown+0xe4/0x118 [cfg80211] [18853.879335] cfg80211disconnect+0x218/0x2d8 [cfg80211] [18853.879427] _cfg80211leave+0x17c/0x240 [cfg80211] [18853.879519] cfg80211leave+0x3c/0x58 [cfg80211] [18853.879611] wiphysuspend+0xdc/0x200 [cfg80211] [18853.879628] dpmruncallback+0x58/0x408 [18853.879642] _devicesuspend+0x4cc/0x864 [18853.879658] asyncsuspend+0x34/0xf4 [18 ---truncated---(CVE-2022-49328)

In the Linux kernel, the following vulnerability has been resolved:

media: uvcvideo: Fix double free in error path

If the uvcstatusinit() function fails to allocate the inturb, it will free the dev->status pointer but doesn't reset the pointer to NULL. This results in the kfree() call in uvcstatus_cleanup() trying to double-free the memory. Fix it by resetting the dev->status pointer to NULL after freeing it.

Reviewed by: Ricardo Ribalda <ribalda@chromium.org>(CVE-2024-57980)

In the Linux kernel, the following vulnerability has been resolved:

geneve: Fix use-after-free in genevefinddev().

syzkaller reported a use-after-free in genevefinddev() [0] without repro.

geneveconfigure() links struct genevedev.next to netgeneric(net, genevenetid)->genevelist.

The net here could differ from devnet(dev) if IFLANETNSPID, IFLANETNSFD, or IFLATARGET_NETNSID is set.

When devnet(dev) is dismantled, geneveexitbatchrtnl() finally calls unregisternetdevicequeue() for each dev in the netns, and later the dev is freed.

However, its geneve_dev.next is still linked to the backend UDP socket netns.

Then, use-after-free will occur when another geneve dev is created in the netns.

Let's call genevedellink() instead in genevedestroy_tunnels().

BUG: KASAN: slab-use-after-free in geneve_configure+0x234/0x858 drivers/net/geneve.c:1343 Read of size 2 at addr ffff000054d6ee24 by task syz.1.4029/13441

CPU: 1 UID: 0 PID: 13441 Comm: syz.1.4029 Not tainted 6.13.0-g0ad9617c78ac #24 dc35ca22c79fb82e8e7bc5c9c9adafea898b1e3d Hardware name: linux,dummy-virt (DT) Call trace: showstack+0x38/0x50 arch/arm64/kernel/stacktrace.c:466 (C) dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0xbc/0x108 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x16c/0x6f0 mm/kasan/report.c:489 kasanreport+0xc0/0x120 mm/kasan/report.c:602 _asanreportload2noabort+0x20/0x30 mm/kasan/reportgeneric.c:379 genevefinddev drivers/net/geneve.c:1295 [inline] geneveconfigure+0x234/0x858 drivers/net/geneve.c:1343 genevenewlink+0xb8/0x128 drivers/net/geneve.c:1634 rtnlnewlinkcreate+0x23c/0x868 net/core/rtnetlink.c:3795 _rtnlnewlink net/core/rtnetlink.c:3906 [inline] rtnlnewlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlinkrcvmsg+0x61c/0x918 net/core/rtnetlink.c:6911 netlinkrcvskb+0x1dc/0x398 net/netlink/afnetlink.c:2543 rtnetlinkrcv+0x34/0x50 net/core/rtnetlink.c:6938 netlinkunicastkernel net/netlink/afnetlink.c:1322 [inline] netlinkunicast+0x618/0x838 net/netlink/afnetlink.c:1348 netlinksendmsg+0x5fc/0x8b0 net/netlink/afnetlink.c:1892 socksendmsgnosec net/socket.c:713 [inline] _socksendmsg net/socket.c:728 [inline] _syssendmsg+0x410/0x6f8 net/socket.c:2568 _syssendmsg+0x178/0x1d8 net/socket.c:2622 _syssendmsg net/socket.c:2654 [inline] _dosyssendmsg net/socket.c:2659 [inline] _sesyssendmsg net/socket.c:2657 [inline] _arm64syssendmsg+0x12c/0x1c8 net/socket.c:2657 _invokesyscall arch/arm64/kernel/syscall.c:35 [inline] invokesyscall+0x90/0x278 arch/arm64/kernel/syscall.c:49 el0svccommon+0x13c/0x250 arch/arm64/kernel/syscall.c:132 doel0svc+0x54/0x70 arch/arm64/kernel/syscall.c:151 el0svc+0x4c/0xa8 arch/arm64/kernel/entry-common.c:744 el0t64synchandler+0x78/0x108 arch/arm64/kernel/entry-common.c:762 el0t64sync+0x198/0x1a0 arch/arm64/kernel/entry.S:600

Allocated by task 13247: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x30/0x68 mm/kasan/common.c:68 kasansaveallocinfo+0x44/0x58 mm/kasan/generic.c:568 poisonkmallocredzone mm/kasan/common.c:377 [inline] _kasankmalloc+0x84/0xa0 mm/kasan/common.c:394 kasankmalloc include/linux/kasan.h:260 [inline] _dokmallocnode mm/slub.c:4298 [inline] _kmallocnodenoprof+0x2a0/0x560 mm/slub.c:4304 _kvmallocnodenoprof+0x9c/0x230 mm/util.c:645 allocnetdevmqs+0xb8/0x11a0 net/core/dev.c:11470 rtnlcreatelink+0x2b8/0xb50 net/core/rtnetlink.c:3604 rtnlnewlinkcreate+0x19c/0x868 net/core/rtnetlink.c:3780 _rtnlnewlink net/core/rtnetlink.c:3906 [inline] rtnlnewlink+0x1054/0x1630 net/core/rtnetlink.c:4021 rtnetlinkrcvmsg+0x61c/0x918 net/core/rtnetlink.c:6911 netlinkrcvskb+0x1dc/0x398 net/netlink/afnetlink.c:2543 rtnetlinkrcv+0x34/0x50 net/core/rtnetlink.c:6938 netlinkunicastkernel net/netlink/af_n ---truncated---(CVE-2025-21858)

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: Fix use-after-free issue in ishtphidremove()

The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtphidremove() function.

The function currently frees the driver_data directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, hid_destroy_device() uses driver_data when it calls hid_ishtp_set_feature() to power off the sensor, so freeing driver_data beforehand can result in accessing invalid memory.

This patch resolves the issue by storing the driver_data in a temporary variable before calling hid_destroy_device(), and then freeing the driver_data after the device is destroyed.(CVE-2025-21928)